Play interactive tour

Edit tour

Analysis Report https://www.sendspace.com/pro/dl/eu3kr3

Overview

General Information

Sample URL:	https://www.sendspace.com/pro/dl/eu3kr3
Analysis ID:	366435
Infos:
Most interesting Screenshot:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Suspicious Double Extension

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates a thread in another existing process (thread injection)

Delayed program exit found

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Uses dynamic DNS services

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Potential browser exploit detected (process start blacklist hit)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara signature match

Classification

Startup

System is w10x64

iexplore.exe (PID: 4440 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 2076 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4440 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

unarchiver.exe (PID: 6272 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar' MD5: 8B435F8731563566F3F49203BA277865)

7za.exe (PID: 6316 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6400 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Rate_Confirmation #LOAD.pdf.exe (PID: 6440 cmdline: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe MD5: BFCF046DBD2BE19BE45A02E319609060)

DpiScaling.exe (PID: 6360 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 302B1BBDBF4D96BEE99C6B45680CEB5E)

cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "alukoren.duckdns.org:9144:1", "Assigned name": "Mar 1", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "dfgyre.exe", "Startup value": "sdghbq", "Hide file": "Disable", "Mutex": "aqyuio-EG6HAK", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "dfgh.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "fghds", "Keylog folder": "fgha", "Keylog file max size": "10000"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Libraries\hoelB.url	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar.1d8m29r.partial	SUSP_RAR_with_PDF_Script_Obfuscation	Detects RAR file with suspicious .pdf extension prefix to trick users	Florian Roth	0x48:$s5: .pdf.exe 0x444c7:$s5: .pdf.exe
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf[1].rar	SUSP_RAR_with_PDF_Script_Obfuscation	Detects RAR file with suspicious .pdf extension prefix to trick users	Florian Roth	0x48:$s5: .pdf.exe 0x444c7:$s5: .pdf.exe

Memory Dumps

Source	Rule	Description	Author	Strings
00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x5f6e4:$str_a1: C:\Windows\System32\cmd.exe 0x5f660:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f660:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f2e0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e82c:$str_b2: Executing file: 0x5f828:$str_b3: GetDirectListeningPort 0x5f0a0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f424:$str_b5: licence_code.txt 0x5f2c8:$str_b7: \update.vbs 0x5e89c:$str_b9: Downloaded file: 0x5e868:$str_b10: Downloading file: 0x5e850:$str_b12: Failed to upload file: 0x5f7f0:$str_b13: StartForward 0x5f810:$str_b14: StopForward 0x5f270:$str_b15: fso.DeleteFile " 0x5f204:$str_b16: On Error Resume Next 0x5f2a0:$str_b17: fso.DeleteFolder " 0x5e840:$str_b18: Uploaded file: 0x5e8dc:$str_b19: Unable to delete: 0x5f238:$str_b20: while fso.FileExists("
00000019.00000002.500238285.0000000010590000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000019.00000002.500238285.0000000010590000.00000040.00000001.sdmp	REMCOS_RAT_variants	unknown	unknown	0x60384:$str_a1: C:\Windows\System32\cmd.exe 0x60300:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60300:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f928:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5ff80:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f4cc:$str_b2: Executing file: 0x604c8:$str_b3: GetDirectListeningPort 0x5fd40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x600c4:$str_b5: licence_code.txt 0x5ff68:$str_b7: \update.vbs 0x5f53c:$str_b9: Downloaded file: 0x5f508:$str_b10: Downloading file: 0x5f4f0:$str_b12: Failed to upload file: 0x60490:$str_b13: StartForward 0x604b0:$str_b14: StopForward 0x5ff10:$str_b15: fso.DeleteFile " 0x5fea4:$str_b16: On Error Resume Next 0x5ff40:$str_b17: fso.DeleteFolder " 0x5f4e0:$str_b18: Uploaded file: 0x5f57c:$str_b19: Unable to delete: 0x5fed8:$str_b20: while fso.FileExists("
Process Memory Space: DpiScaling.exe PID: 6360	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
25.2.DpiScaling.exe.10590000.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
25.2.DpiScaling.exe.10590000.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f784:$str_a1: C:\Windows\System32\cmd.exe 0x5f700:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f700:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ed28:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f380:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e8cc:$str_b2: Executing file: 0x5f8c8:$str_b3: GetDirectListeningPort 0x5f140:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f4c4:$str_b5: licence_code.txt 0x5f368:$str_b7: \update.vbs 0x5e93c:$str_b9: Downloaded file: 0x5e908:$str_b10: Downloading file: 0x5e8f0:$str_b12: Failed to upload file: 0x5f890:$str_b13: StartForward 0x5f8b0:$str_b14: StopForward 0x5f310:$str_b15: fso.DeleteFile " 0x5f2a4:$str_b16: On Error Resume Next 0x5f340:$str_b17: fso.DeleteFolder " 0x5e8e0:$str_b18: Uploaded file: 0x5e97c:$str_b19: Unable to delete: 0x5f2d8:$str_b20: while fso.FileExists("
25.2.DpiScaling.exe.10590000.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
25.2.DpiScaling.exe.10590000.3.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x60384:$str_a1: C:\Windows\System32\cmd.exe 0x60300:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60300:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f928:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5ff80:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f4cc:$str_b2: Executing file: 0x604c8:$str_b3: GetDirectListeningPort 0x5fd40:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x600c4:$str_b5: licence_code.txt 0x5ff68:$str_b7: \update.vbs 0x5f53c:$str_b9: Downloaded file: 0x5f508:$str_b10: Downloading file: 0x5f4f0:$str_b12: Failed to upload file: 0x60490:$str_b13: StartForward 0x604b0:$str_b14: StopForward 0x5ff10:$str_b15: fso.DeleteFile " 0x5fea4:$str_b16: On Error Resume Next 0x5ff40:$str_b17: fso.DeleteFolder " 0x5f4e0:$str_b18: Uploaded file: 0x5f57c:$str_b19: Unable to delete: 0x5fed8:$str_b20: while fso.FileExists("
25.2.DpiScaling.exe.105918a0.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
25.2.DpiScaling.exe.105918a0.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5eae4:$str_a1: C:\Windows\System32\cmd.exe 0x5ea60:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea60:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e088:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e6e0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5dc2c:$str_b2: Executing file: 0x5ec28:$str_b3: GetDirectListeningPort 0x5e4a0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e824:$str_b5: licence_code.txt 0x5e6c8:$str_b7: \update.vbs 0x5dc9c:$str_b9: Downloaded file: 0x5dc68:$str_b10: Downloading file: 0x5dc50:$str_b12: Failed to upload file: 0x5ebf0:$str_b13: StartForward 0x5ec10:$str_b14: StopForward 0x5e670:$str_b15: fso.DeleteFile " 0x5e604:$str_b16: On Error Resume Next 0x5e6a0:$str_b17: fso.DeleteFolder " 0x5dc40:$str_b18: Uploaded file: 0x5dcdc:$str_b19: Unable to delete: 0x5e638:$str_b20: while fso.FileExists("
25.2.DpiScaling.exe.105918a0.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
25.2.DpiScaling.exe.105918a0.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x5dee4:$str_a1: C:\Windows\System32\cmd.exe 0x5de60:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5de60:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5d488:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5dae0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5d02c:$str_b2: Executing file: 0x5e028:$str_b3: GetDirectListeningPort 0x5d8a0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5dc24:$str_b5: licence_code.txt 0x5dac8:$str_b7: \update.vbs 0x5d09c:$str_b9: Downloaded file: 0x5d068:$str_b10: Downloading file: 0x5d050:$str_b12: Failed to upload file: 0x5dff0:$str_b13: StartForward 0x5e010:$str_b14: StopForward 0x5da70:$str_b15: fso.DeleteFile " 0x5da04:$str_b16: On Error Resume Next 0x5daa0:$str_b17: fso.DeleteFolder " 0x5d040:$str_b18: Uploaded file: 0x5d0dc:$str_b19: Unable to delete: 0x5da38:$str_b20: while fso.FileExists("
25.2.DpiScaling.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
25.2.DpiScaling.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x5eae4:$str_a1: C:\Windows\System32\cmd.exe 0x5ea60:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ea60:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5e088:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5e6e0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5dc2c:$str_b2: Executing file: 0x5ec28:$str_b3: GetDirectListeningPort 0x5e4a0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5e824:$str_b5: licence_code.txt 0x5e6c8:$str_b7: \update.vbs 0x5dc9c:$str_b9: Downloaded file: 0x5dc68:$str_b10: Downloading file: 0x5dc50:$str_b12: Failed to upload file: 0x5ebf0:$str_b13: StartForward 0x5ec10:$str_b14: StopForward 0x5e670:$str_b15: fso.DeleteFile " 0x5e604:$str_b16: On Error Resume Next 0x5e6a0:$str_b17: fso.DeleteFolder " 0x5dc40:$str_b18: Uploaded file: 0x5dcdc:$str_b19: Unable to delete: 0x5e638:$str_b20: while fso.FileExists("
25.2.DpiScaling.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
25.2.DpiScaling.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x5f6e4:$str_a1: C:\Windows\System32\cmd.exe 0x5f660:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5f660:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5ec88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x5f2e0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5e82c:$str_b2: Executing file: 0x5f828:$str_b3: GetDirectListeningPort 0x5f0a0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x5f424:$str_b5: licence_code.txt 0x5f2c8:$str_b7: \update.vbs 0x5e89c:$str_b9: Downloaded file: 0x5e868:$str_b10: Downloading file: 0x5e850:$str_b12: Failed to upload file: 0x5f7f0:$str_b13: StartForward 0x5f810:$str_b14: StopForward 0x5f270:$str_b15: fso.DeleteFile " 0x5f204:$str_b16: On Error Resume Next 0x5f2a0:$str_b17: fso.DeleteFolder " 0x5e840:$str_b18: Uploaded file: 0x5e8dc:$str_b19: Unable to delete: 0x5f238:$str_b20: while fso.FileExists("
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Double Extension

Show sources

Source: Process started

Author: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe, CommandLine: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe, ParentCommandLine: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6400, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe, ProcessId: 6440

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 25.2.DpiScaling.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": "alukoren.duckdns.org:9144:1", "Assigned name": "Mar 1", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "dfgyre.exe", "Startup value": "sdghbq", "Hide file": "Disable", "Mutex": "aqyuio-EG6HAK", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "dfgh.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "wikipedia;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "fghds", "Keylog folder": "fgha", "Keylog file max size": "10000"}

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.500238285.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DpiScaling.exe PID: 6360, type: MEMORY
Source: Yara match	File source: 25.2.DpiScaling.exe.10590000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.10590000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.105918a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.105918a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar.1d8m29r.partial	Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\Bleohpoe.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf[1].rar	Joe Sandbox ML: detected

Source: 25.2.DpiScaling.exe.10590000.3.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.3.7za.exe.2370000.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_0042DF59 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

25_2_0042DF59

Source: DpiScaling.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.153.148:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.148:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.148:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.148:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 72.249.68.209:443 -> 192.168.2.5:49717 version: TLS 1.2

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0041513C FindFirstFileW,FindNextFileW,FindNextFileW,	25_2_0041513C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_004061D5 FindFirstFileW,FindNextFileW,	25_2_004061D5
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_004173A2 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	25_2_004173A2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0040A441 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	25_2_0040A441
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_004454B9 FindFirstFileExA,	25_2_004454B9
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0040A65C FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	25_2_0040A65C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00407840 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	25_2_00407840
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00407CA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	25_2_00407CA7

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_0040698F SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

25_2_0040698F

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 04AC097Fh		14_2_04AC02A8
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 4x nop then jmp 04AC097Eh		14_2_04AC02A8

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Windows\SysWOW64\unarchiver.exe

Jump to behavior

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: alukoren.duckdns.org

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: alukoren.duckdns.org

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_00404B18 recv,

25_2_00404B18

Source: unknown

DNS traffic detected: queries for: www.sendspace.com

Source: Rate_Confirmation #LOAD.pdf.exe, 00000013.00000003.317024902.0000000002BCB000.00000004.00000001.sdmp

String found in binary or memory: https://www.samtaxitours.com/qasdgkasdcmvmgkiwi4858fhsjdjfmncjdtu684udhsdfgv/Bleoh

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443

Source: unknown	HTTPS traffic detected: 172.67.153.148:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.148:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.148:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.153.148:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 72.249.68.209:443 -> 192.168.2.5:49717 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to capture and log keystrokes

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: [Esc]	25_2_00409348
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: [Enter]	25_2_00409348
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: [Tab]	25_2_00409348
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: [Down]	25_2_00409348
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: [Right]	25_2_00409348
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: [Up]	25_2_00409348
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: [Left]	25_2_00409348
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: [End]	25_2_00409348
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: [F2]	25_2_00409348
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: [F1]	25_2_00409348
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: [Del]	25_2_00409348
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: [Del]	25_2_00409348

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_004120F3 SetEvent,OpenClipboard,CloseClipboard,GetTickCount,StrToIntA,SetWindowTextW,CreateThread,ShowWindow,SetForegroundWindow,

25_2_004120F3

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_00412AAE EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

25_2_00412AAE

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_00408826 GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,

25_2_00408826

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.500238285.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DpiScaling.exe PID: 6360, type: MEMORY
Source: Yara match	File source: 25.2.DpiScaling.exe.10590000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.10590000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.105918a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.105918a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000019.00000002.500238285.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 25.2.DpiScaling.exe.10590000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 25.2.DpiScaling.exe.10590000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 25.2.DpiScaling.exe.105918a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 25.2.DpiScaling.exe.105918a0.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 25.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 25.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_004129A1 ExitWindowsEx,LoadLibraryA,GetProcAddress,

25_2_004129A1

Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 14_2_04AC02A8	14_2_04AC02A8
Source: C:\Windows\SysWOW64\unarchiver.exe	Code function: 14_2_04AC0299	14_2_04AC0299
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0041A42D	25_2_0041A42D
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0042E064	25_2_0042E064
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00433151	25_2_00433151
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00422246	25_2_00422246
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_004342CF	25_2_004342CF
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0044C3BA	25_2_0044C3BA
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0044A578	25_2_0044A578
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0043E510	25_2_0043E510
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0043052E	25_2_0043052E
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0043364D	25_2_0043364D
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_004228E4	25_2_004228E4
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0043796C	25_2_0043796C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00433A65	25_2_00433A65
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00422A27	25_2_00422A27
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00437B9B	25_2_00437B9B
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0044AC89	25_2_0044AC89
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00421D4F	25_2_00421D4F
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00450D60	25_2_00450D60
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00437DCA	25_2_00437DCA
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00433E9A	25_2_00433E9A
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00418EAE	25_2_00418EAE
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00410F3C	25_2_00410F3C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00430FE0	25_2_00430FE0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_1059109B	25_2_1059109B

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 0042F4D0 appears 53 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 00402064 appears 75 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 0042EE10 appears 35 times

Source: Rate_Confirmation #LOAD.pdf.exe.15.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Bleohpoe.exe.19.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Source: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000019.00000002.500238285.0000000010590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\Public\Libraries\hoelB.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar.1d8m29r.partial, type: DROPPED	Matched rule: SUSP_RAR_with_PDF_Script_Obfuscation date = 2019-04-06, hash1 = b629b46b009a1c2306178e289ad0a3d9689d4b45c3d16804599f23c90c6bca5b, author = Florian Roth, description = Detects RAR file with suspicious .pdf extension prefix to trick users, reference = Internal Research
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf[1].rar, type: DROPPED	Matched rule: SUSP_RAR_with_PDF_Script_Obfuscation date = 2019-04-06, hash1 = b629b46b009a1c2306178e289ad0a3d9689d4b45c3d16804599f23c90c6bca5b, author = Florian Roth, description = Detects RAR file with suspicious .pdf extension prefix to trick users, reference = Internal Research
Source: 25.2.DpiScaling.exe.10590000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 25.2.DpiScaling.exe.10590000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 25.2.DpiScaling.exe.105918a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 25.2.DpiScaling.exe.105918a0.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 25.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 25.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: classification engine

Classification label: mal100.troj.spyw.evad.win@15/19@4/3

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_004136E6 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

25_2_004136E6

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_0040D44C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CreateMutexA,CloseHandle,

25_2_0040D44C

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_0040D6BD FindResourceA,LoadResource,LockResource,SizeofResource,

25_2_0040D6BD

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_004160C1 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

25_2_004160C1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{83805620-8219-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01
Source: C:\Windows\SysWOW64\DpiScaling.exe	Mutant created: \Sessions\1\BaseNamedObjects\aqyuio-EG6HAK

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA431D7639D759B21.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4440 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar'
Source: unknown	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe
Source: unknown	Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4440 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar'	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar'	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_0040D325 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

25_2_0040D325

Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C2227 push 00000054h; iretd	19_3_022C222A
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C2227 push 00000054h; iretd	19_3_022C222A
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C3257 push es; iretd	19_3_022C321A
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C3257 push es; iretd	19_3_022C321A
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C2326 push 0000002Ch; iretd	19_3_022C232C
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C2326 push 0000002Ch; iretd	19_3_022C232C
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C231F push 0000002Ch; iretd	19_3_022C2323
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C231F push 0000002Ch; iretd	19_3_022C2323
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C67E3 push 3CE7E7E9h; iretd	19_3_022C67E8
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C67E3 push 3CE7E7E9h; iretd	19_3_022C67E8
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C6850 push 0000002Ch; ret	19_3_022C6852
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C6850 push 0000002Ch; ret	19_3_022C6852
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C0CBC push ds; iretd	19_3_022C0CC6
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C0CBC push ds; iretd	19_3_022C0CC6
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C31C5 push es; iretd	19_3_022C321A
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C31C5 push es; iretd	19_3_022C321A
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C2227 push 00000054h; iretd	19_3_022C222A
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C2227 push 00000054h; iretd	19_3_022C222A
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C3257 push es; iretd	19_3_022C321A
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C3257 push es; iretd	19_3_022C321A
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C2326 push 0000002Ch; iretd	19_3_022C232C
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C2326 push 0000002Ch; iretd	19_3_022C232C
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C231F push 0000002Ch; iretd	19_3_022C2323
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C231F push 0000002Ch; iretd	19_3_022C2323
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C67E3 push 3CE7E7E9h; iretd	19_3_022C67E8
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C67E3 push 3CE7E7E9h; iretd	19_3_022C67E8
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C6850 push 0000002Ch; ret	19_3_022C6852
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C6850 push 0000002Ch; ret	19_3_022C6852
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C0CBC push ds; iretd	19_3_022C0CC6
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C0CBC push ds; iretd	19_3_022C0CC6
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Code function: 19_3_022C31C5 push es; iretd	19_3_022C321A

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_00405C45 ShellExecuteW,URLDownloadToFileW,

25_2_00405C45

Source: C:\Windows\SysWOW64\7za.exe	File created: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	File created: C:\Users\Public\Libraries\Bleohpoe.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_004160C1 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

25_2_004160C1

Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Bleoh			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Bleoh			Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

25_2_0040D325

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Delayed program exit found

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_0040D6F4 Sleep,ExitProcess,

25_2_0040D6F4

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

25_2_00415DEF

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_25-51424

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6392	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6304	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe TID: 4640	Thread sleep count: 346 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe TID: 4640	Thread sleep time: -3460000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_00408667 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: je 00408688h

25_2_00408667

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0041513C FindFirstFileW,FindNextFileW,FindNextFileW,	25_2_0041513C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_004061D5 FindFirstFileW,FindNextFileW,	25_2_004061D5
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_004173A2 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	25_2_004173A2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0040A441 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	25_2_0040A441
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_004454B9 FindFirstFileExA,	25_2_004454B9
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0040A65C FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	25_2_0040A65C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00407840 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	25_2_00407840
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00407CA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	25_2_00407CA7

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_0040698F SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW,

25_2_0040698F

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 14_2_0099B042 GetSystemInfo,

14_2_0099B042

Source: C:\Windows\SysWOW64\DpiScaling.exe

API call chain: ExitProcess graph end node

graph_25-52067

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_0042F099 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

25_2_0042F099

Source: C:\Windows\SysWOW64\DpiScaling.exe

25_2_0040D325

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0043B809 mov eax, dword ptr fs:[00000030h]	25_2_0043B809
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_1059109B mov eax, dword ptr fs:[00000030h]	25_2_1059109B
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_1059109B mov eax, dword ptr fs:[00000030h]	25_2_1059109B

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_0044680E GetProcessHeap,

25_2_0044680E

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0042F22B SetUnhandledExceptionFilter,	25_2_0042F22B
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0042F099 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_0042F099
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_00436123 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00436123
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 25_2_0042F69C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_0042F69C

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_00413EB9 __EH_prolog,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

25_2_00413EB9

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 930000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 9F0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 970000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 990000	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe

Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 10590000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 930000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 9C0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 9D0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 9E0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 9F0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 940000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 950000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 960000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 970000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 10590000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 980000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 990000	Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe

25_2_0040F791

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_00414CCB StrToIntA,mouse_event,

25_2_00414CCB

Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar'	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe	Jump to behavior

Source: DpiScaling.exe, 00000019.00000002.495531041.0000000003400000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: DpiScaling.exe, 00000019.00000002.495531041.0000000003400000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: DpiScaling.exe, 00000019.00000002.495531041.0000000003400000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: DpiScaling.exe, 00000019.00000002.495531041.0000000003400000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: DpiScaling.exe, 00000019.00000002.495531041.0000000003400000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_0042F326 cpuid

25_2_0042F326

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	25_2_004490FD
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetLocaleInfoW,	25_2_00449204
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	25_2_004492D1
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetLocaleInfoA,	25_2_0040D824
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: EnumSystemLocalesW,	25_2_00440991
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	25_2_00448999
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: EnumSystemLocalesW,	25_2_00448C5C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: EnumSystemLocalesW,	25_2_00448C11
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: EnumSystemLocalesW,	25_2_00448CF7
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	25_2_00448D84
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetLocaleInfoW,	25_2_00440E7A
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: GetLocaleInfoW,	25_2_00448FD4

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_00404E50 GetLocalTime,CreateEventA,CreateThread,

25_2_00404E50

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_00416A5B GetComputerNameExW,GetUserNameW,

25_2_00416A5B

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 25_2_0044171D _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

25_2_0044171D

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.500238285.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DpiScaling.exe PID: 6360, type: MEMORY
Source: Yara match	File source: 25.2.DpiScaling.exe.10590000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.10590000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.105918a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.105918a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

25_2_0040A323

Contains functionality to steal Firefox passwords or cookies

Show sources

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		25_2_0040A441
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: \key3.db		25_2_0040A441

Remote Access Functionality:

Detected Remcos RAT

Show sources

Source: DpiScaling.exe	String found in binary or memory: Remcos_Mutex_Inj
Source: DpiScaling.exe, 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.2 Prov

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.500238285.0000000010590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DpiScaling.exe PID: 6360, type: MEMORY
Source: Yara match	File source: 25.2.DpiScaling.exe.10590000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.10590000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.105918a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.105918a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.DpiScaling.exe.400000.0.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: cmd.exe

25_2_004055A5

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Exploitation for Client Execution1	Windows Service1	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	Input Capture111	Account Discovery1	Remote Desktop Protocol	Input Capture111	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Registry Run Keys / Startup Folder1	Windows Service1	Obfuscated Files or Information3	Credentials In Files2	System Service Discovery1	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution2	Logon Script (Mac)	Process Injection422	Software Packing1	NTDS	File and Directory Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	Masquerading1	LSA Secrets	System Information Discovery34	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol22	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion2	Cached Domain Credentials	Security Software Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Virtualization/Sandbox Evasion2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection422	Proc Filesystem	Process Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://www.sendspace.com/pro/dl/eu3kr3	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar.1d8m29r.partial	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Bleohpoe.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf[1].rar	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
25.2.DpiScaling.exe.10590000.3.unpack	100%	Avira	TR/Dropper.Gen		Download File
15.3.7za.exe.2370000.0.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
alukoren.duckdns.org	0%	Avira URL Cloud	safe
https://www.samtaxitours.com/qasdgkasdcmvmgkiwi4858fhsjdjfmncjdtu684udhsdfgv/Bleoh	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
alukoren.duckdns.org	199.249.223.130	true	true	unknown
samtaxitours.com	72.249.68.209	true	false	unknown
www.sendspace.com	172.67.153.148	true	false	high
fs03n1.sendspace.com	172.67.153.148	true	false	high
www.samtaxitours.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
alukoren.duckdns.org	true	Avira URL Cloud: safe	unknown
0	true		low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.samtaxitours.com/qasdgkasdcmvmgkiwi4858fhsjdjfmncjdtu684udhsdfgv/Bleoh	Rate_Confirmation #LOAD.pdf.exe, 00000013.00000003.317024902.0000000002BCB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
72.249.68.209	samtaxitours.com	United States	36024	AS-TIERP-36024US	false
172.67.153.148	www.sendspace.com	United States	13335	CLOUDFLARENETUS	false
199.249.223.130	alukoren.duckdns.org	United States	62744	QUINTEXUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	366435
Start date:	10.03.2021
Start time:	19:25:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://www.sendspace.com/pro/dl/eu3kr3
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.win@15/19@4/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 102 Number of non-executed functions: 161
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, ielowutil.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 23.211.6.115, 104.108.39.131, 23.210.248.85, 20.82.209.183, 152.199.19.161, 13.88.21.125, 51.103.5.186, 92.122.213.194, 92.122.213.247, 40.88.32.150, 20.54.26.129, 168.61.161.212 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target Rate_Confirmation #LOAD.pdf.exe, PID 6440 because there are no executed function Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: https://www.sendspace.com/pro/dl/eu3kr3

Simulations

Behavior and APIs

Time	Type	Description
19:26:44	API Interceptor	2x Sleep call for process: Rate_Confirmation #LOAD.pdf.exe modified
19:27:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Bleoh C:\Users\Public\Libraries\hoelB.url
19:27:06	API Interceptor	543x Sleep call for process: DpiScaling.exe modified
19:27:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Bleoh C:\Users\Public\Libraries\hoelB.url

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\Public\Libraries\Bleohpoe.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	906592
Entropy (8bit):	5.903392548306433
Encrypted:	false
SSDEEP:	12288:YzRfIpCWhEBF/I7qtfUdazMzK3HZo5giUCG:YztzBFv9o0e5gwG
MD5:	BFCF046DBD2BE19BE45A02E319609060
SHA1:	B91E5257437CB8A2210E85FAA34C05AEE5A4392D
SHA-256:	FA2451279832638DC9505173ECD7211BCB671D287EC0F49AEC8294647766DAD4
SHA-512:	8B06DEC270884E2C8B1D29BD1F61A9AD7CE251AD4E570C179C77607BE5A7B8DB1D79B03C3D7B9E684EBEC4E802ED78F0D0CD2BD4060121D814A65EE05C63BEBE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................... ...................@...............................$...P..................`........l..................................................................................CODE................................ ..`DATA....(...........................@...BSS.....1............d...................idata...$.......&...d..............@....tls.....................................rdata..............................@..P.reloc...l.......l..................@..P.rsrc........P......................@..P............. ......................@..P........................................................................................................................................

C:\Users\Public\Libraries\hoelB.url Download File
Process:	C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Bleohpoe.exe">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.784906090952169
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMdA5pvsGKd5ov:HRYFVmTWDyziyvsb5y
MD5:	57ADC0CB566F8B1EFB1E313F735DD9E3
SHA1:	40AC3231A4C4F65C934E587ADE57138B48188B97
SHA-256:	9145892A94FE1CCCFAB19F5D94BB083E0259EFAC045DD775710804915A7A53F2
SHA-512:	691BC58CEEE6A572C36288AC4F63027F920EFCAA9E3B3B9E6C2FF4FF6C54408F159239F7A81C14470A61ABCE142A194AF5B1B6C9C512551397BCBE2CF0B1133D
Malicious:	false
Yara Hits:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\hoelB.url, Author: @itsreallynick (Nick Carr)
Reputation:	low
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Bleohpoe.exe"..IconIndex=1..

C:\Users\Public\Libraries\temp Download File
Process:	C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	577536
Entropy (8bit):	7.977234842227631
Encrypted:	false
SSDEEP:	12288:iyIiStBbH7nGxOU5A8CbYtYPw34qzFx5RIt2DaJn1ugqJ+82NLKd8cydc:Wp7nK4bYtYy4IZRi3Gld85K
MD5:	7054321ADADF49A280D2B5A7B9458DAE
SHA1:	470B4A7D00EA524CC1F1A71BF232E77FC15C25CF
SHA-256:	826B6DA409F8CB64330B562401E17956A1E57A8A0F02BCF4819988CC3CB16762
SHA-512:	CA9EF2C5B51426EA001874A186F3C4DC205C29AE70CB868AF4288DDCCD88096F7751A26EE6D85880E8F126D8FD9CDD0441301032ED1E39DB6DD7B750CD23C8F7
Malicious:	false
Reputation:	low
Preview:	.........<66.5..c_.gi.x..};vb_Sb_&wE4J~<8.88.2<66.5..c_.gi.x..};vb_Sb_&wE4J~<8.7..<66.5..c_.gi.x..};vb_Sb_&wE4J~<8.88.2<66.5..c_.gi.x..};vb_Sb_&wE4J~<8.7..<66.5..c_.gi.x..};vb_Sb_&wE4J~<8.b...E.....:..9............/..$...................................5.........mr. B..{x..t....m..o.}.....zb..v..n..s:>x[.L#j`.....................................................................................................................................=..>....Xb.4t.z.......:.<06...:.........O .W";..%.....@..n..7.....................................5..,....+..,......)..;................................................................................................................................hBS..YhZ.....>..,...................=...xK.,..X^E;..%.......................X...zH.3TSF..5..>.......................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log Download File
Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	388
Entropy (8bit):	5.2529463157768355
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk7v:MLF20NaL329hJ5g522r0
MD5:	FF3B761A021930205BEC9D7664AE9258
SHA1:	1039D595C6333358D5F7EE5619FE6794E6F5FDB1
SHA-256:	A3517BC4B1E6470905F9A38466318B302186496E8706F1976F1ED76F3E87AF0F
SHA-512:	1E77D09CF965575EF9800B1EE8947A02D98F88DBFA267300330860757A0C7350AF857A2CB7001C49AFF1F5BD1E0AE6E90F643B27054522CADC730DD14BC3DE11
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{83805620-8219-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	46680
Entropy (8bit):	1.9195020359344346
Encrypted:	false
SSDEEP:	192:r+ZdZdD2dMWdutdNfdjhMdbdAdgfd/srddhfd/LrduB0dSW:rKTsBsrs9KEwBlDR
MD5:	2816BCB1747E97D5274D31908E826A0C
SHA1:	A7E75F9D960C8085A6366ACE66A7AE7AB551631D
SHA-256:	EE738FA24AE4693BF497BCE618A94F8E58843215C07EE9EB2E8F686079EA45C9
SHA-512:	45B4540DC2577A336E7B41FEF8B87A6C5F4FC12AEA5161F5800C6BDB2C532D142217E676122F0EEB9C3A86BB2941264FC497443B756514B4B7E0D06F45656666
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{83805622-8219-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.598482040711977
Encrypted:	false
SSDEEP:	48:IwOGcpr7GwpamG4pQyGrapbSHcGQpBhrUGHHpchR7TGUpQhdwWGcpm:rSZVQW60BSH0jhrL2hRV6hvg
MD5:	CCEE846F1354714473ABF2BEDA15B4B4
SHA1:	837F45A3B15054886CF119DE42D5780CE44DDD3C
SHA-256:	8F14FEC4D96B8F32C1371D91F4139CE2D18A7639E56AEEA9E857D98BF5CE9BFF
SHA-512:	BC44DCDA72D4E40E331D7F2891CE321EABFD0620966C12430A003BC1620E47F33F2CB4F45B6061920541705605EA7AC6E7CAFFDB43A4540E424853D2C8D33A00
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8D4A1D1D-8219-11EB-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5858955791654339
Encrypted:	false
SSDEEP:	48:IwnGcprqGwpaoG4pQcGrapbS6GQpKWG7HpRFTGIpX2MWGApm:rNZyQ46aBSCABTTFmg
MD5:	F48600CD9192492308FDB70BC3D4C14F
SHA1:	0FE8F97D04F2A7B0F28D880932D0513F2E036B06
SHA-256:	9F3A6ADEDBABC6DC54E7EE3BBA140BC637E057E213879C11C156A6A122624260
SHA-512:	B7E9DC6976FAA84D3C9646CE32811AFE00A6480B1A10AF30E085185256E60059A389949132866F9B4E4F30D2FEBFE5FA79BF92052732DEFC744F2805F308FCB0
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar.1d8m29r.partial Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	279778
Entropy (8bit):	7.998385495652214
Encrypted:	true
SSDEEP:	6144:KGJ7G3H1O+JQnCrKlCk+QeKV2XN65ax+Q85MwVl:P7GH1Oiy8a0tx+TPl
MD5:	7797C46F6EBFB3160B05C0A021FE003A
SHA1:	4981360A6A810A5F6A75872AE0D26A43F560CA19
SHA-256:	7E299137F6E7E7F115D1D011E53F275598462DDD417C2ECDE6C6DEC2264CA6D8
SHA-512:	2A9BC1D23837755CB4673CC7354816FBEE98E6DC4274098B84D1EE77B57251AD4A5881FC4BE26D9A4BEBC6E84314A56AE1C8973E4AF088ABCEC4B9EB35713687
Malicious:	true
Yara Hits:	Rule: SUSP_RAR_with_PDF_Script_Obfuscation, Description: Detects RAR file with suspicious .pdf extension prefix to trick users, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar.1d8m29r.partial, Author: Florian Roth
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	Rar!....}p.................=........7 .0P....Rate_Confirmation #LOAD.pdf.exe.....J.....;.O..DT2$W.hw.frI....A .X..D.2...............$`1....wd&G$.r[7b.....Q.i..uuc..rL..CV....R j....&.@....U..Wu{....&r.wWWUWWWWW\|...W.O.<...Eg.?..W..@..'...`....@..P.......8....P..$...~.......?T.\|.....P.8:....@....h..... . .T.6.....'....<.'>\|q.C,....7H...w...Gg...n..f..v...T..f.a..Pxq..;$#;.(.du...h..4..~c/..g....M..v.b...rn....V.b.q.P...C.h.e.......Q.8<z...S.1...i.Su...r.G.o.z@..c......:...s.;..t......O..1.P...SM'..X...1 c..o..0..\..p..M...}...^....s.3&.t{..n.3:..^.......Cf<..;...\......#K2+s.......9jeE.@`..>.8..e...v....K.......S........6..W..........<....49t6wa.....{FwP3vht&z..eD\|.24U.......)()....N.h3k!...(..at....H.t...\|D(...^...).W.q.j.o.+.().u...P...Xy..D,........xh.>...^......O..].C...0...].e....kM.....F^.gY`B...$(.0s.i..h.tSQ.x.F.P.7.&.8.....ao.J.=....+'...=...M..X?...E...V...]D...{...........F<..f...........*..r.#u.g.7^..r].n.z[R.W%.Kd_L.%....r...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar.1d8m29r.partial:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:W:W
MD5:	ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:	3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:	false
Reputation:	low
Preview:	3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf[1].rar Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	279778
Entropy (8bit):	7.998385495652214
Encrypted:	true
SSDEEP:	6144:KGJ7G3H1O+JQnCrKlCk+QeKV2XN65ax+Q85MwVl:P7GH1Oiy8a0tx+TPl
MD5:	7797C46F6EBFB3160B05C0A021FE003A
SHA1:	4981360A6A810A5F6A75872AE0D26A43F560CA19
SHA-256:	7E299137F6E7E7F115D1D011E53F275598462DDD417C2ECDE6C6DEC2264CA6D8
SHA-512:	2A9BC1D23837755CB4673CC7354816FBEE98E6DC4274098B84D1EE77B57251AD4A5881FC4BE26D9A4BEBC6E84314A56AE1C8973E4AF088ABCEC4B9EB35713687
Malicious:	true
Yara Hits:	Rule: SUSP_RAR_with_PDF_Script_Obfuscation, Description: Detects RAR file with suspicious .pdf extension prefix to trick users, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf[1].rar, Author: Florian Roth
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	Rar!....}p.................=........7 .0P....Rate_Confirmation #LOAD.pdf.exe.....J.....;.O..DT2$W.hw.frI....A .X..D.2...............$`1....wd&G$.r[7b.....Q.i..uuc..rL..CV....R j....&.@....U..Wu{....&r.wWWUWWWWW\|...W.O.<...Eg.?..W..@..'...`....@..P.......8....P..$...~.......?T.\|.....P.8:....@....h..... . .T.6.....'....<.'>\|q.C,....7H...w...Gg...n..f..v...T..f.a..Pxq..;$#;.(.du...h..4..~c/..g....M..v.b...rn....V.b.q.P...C.h.e.......Q.8<z...S.1...i.Su...r.G.o.z@..c......:...s.;..t......O..1.P...SM'..X...1 c..o..0..\..p..M...}...^....s.3&.t{..n.3:..^.......Cf<..;...\......#K2+s.......9jeE.@`..>.8..e...v....K.......S........6..W..........<....49t6wa.....{FwP3vht&z..eD\|.24U.......)()....N.h3k!...(..at....H.t...\|D(...^...).W.q.j.o.+.().u...P...Xy..D,........xh.>...^......O..].C...0...].e....kM.....F^.gY`B...$(.0s.i..h.tSQ.x.F.P.7.&.8.....ao.J.=....+'...=...M..X?...E...V...]D...{...........F<..f...........*..r.#u.g.7^..r].n.z[R.W%.Kd_L.%....r...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\Bleoh[1] Download File
Process:	C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe
File Type:	data
Category:	downloaded
Size (bytes):	577536
Entropy (8bit):	7.977234842227631
Encrypted:	false
SSDEEP:	12288:iyIiStBbH7nGxOU5A8CbYtYPw34qzFx5RIt2DaJn1ugqJ+82NLKd8cydc:Wp7nK4bYtYy4IZRi3Gld85K
MD5:	7054321ADADF49A280D2B5A7B9458DAE
SHA1:	470B4A7D00EA524CC1F1A71BF232E77FC15C25CF
SHA-256:	826B6DA409F8CB64330B562401E17956A1E57A8A0F02BCF4819988CC3CB16762
SHA-512:	CA9EF2C5B51426EA001874A186F3C4DC205C29AE70CB868AF4288DDCCD88096F7751A26EE6D85880E8F126D8FD9CDD0441301032ED1E39DB6DD7B750CD23C8F7
Malicious:	false
Reputation:	low
IE Cache URL:	https://www.samtaxitours.com/qasdgkasdcmvmgkiwi4858fhsjdjfmncjdtu684udhsdfgv/Bleoh
Preview:	.........<66.5..c_.gi.x..};vb_Sb_&wE4J~<8.88.2<66.5..c_.gi.x..};vb_Sb_&wE4J~<8.7..<66.5..c_.gi.x..};vb_Sb_&wE4J~<8.88.2<66.5..c_.gi.x..};vb_Sb_&wE4J~<8.7..<66.5..c_.gi.x..};vb_Sb_&wE4J~<8.b...E.....:..9............/..$...................................5.........mr. B..{x..t....m..o.}.....zb..v..n..s:>x[.L#j`.....................................................................................................................................=..>....Xb.4t.z.......:.<06...:.........O .W";..%.....@..n..7.....................................5..,....+..,......)..;................................................................................................................................hBS..YhZ.....>..,...................=...xK.,..X^E;..%.......................X...zH.3TSF..5..>.......................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe Download File
Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	906592
Entropy (8bit):	5.903392548306433
Encrypted:	false
SSDEEP:	12288:YzRfIpCWhEBF/I7qtfUdazMzK3HZo5giUCG:YztzBFv9o0e5gwG
MD5:	BFCF046DBD2BE19BE45A02E319609060
SHA1:	B91E5257437CB8A2210E85FAA34C05AEE5A4392D
SHA-256:	FA2451279832638DC9505173ECD7211BCB671D287EC0F49AEC8294647766DAD4
SHA-512:	8B06DEC270884E2C8B1D29BD1F61A9AD7CE251AD4E570C179C77607BE5A7B8DB1D79B03C3D7B9E684EBEC4E802ED78F0D0CD2BD4060121D814A65EE05C63BEBE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................... ...................@...............................$...P..................`........l..................................................................................CODE................................ ..`DATA....(...........................@...BSS.....1............d...................idata...$.......&...d..............@....tls.....................................rdata..............................@..P.reloc...l.......l..................@..P.rsrc........P......................@..P............. ......................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.412554678800313
Encrypted:	false
SSDEEP:	3:oVXUHTyfWdmW8JOGXnEHTyfWBn:o9UHTyfWBqEHTyfWB
MD5:	7D4B8BFB6BDDDC64E2EA8E3EE38C3F13
SHA1:	4CAE5DFC458AF028E3E9D42CA7F4416BCF4F58E5
SHA-256:	9512ED841DBA599287E10B030BB88C54104E1C045CE20632813D32CB8F0EF2F5
SHA-512:	CFA5768FA66E6176BE2850E5C5F6A0F0616F66054CACCEDA58755A76908867F7F568A733EEC3F0E97B54D9F5F93461FAC708553E3B3AF39C924D1E174BFC973E
Malicious:	false
Reputation:	low
Preview:	[2021/03/10 19:26:07.663] Latest deploy version: ..[2021/03/10 19:26:07.663] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\r5rqi0xe.fvz\unarchiver.log Download File
Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1956
Entropy (8bit):	5.21810692344601
Encrypted:	false
SSDEEP:	48:useDZBEEGBEGbBEGBEGpXEGzEGBEGpADZEGbjEGJDZEGwEGcEG3uEGDEGauEGuEy:usuZ6JdJ9bJ+ZDjdZI0/urSuGOJ4JBU0
MD5:	884D2E5B160BCBCEC1523E83DCE940A9
SHA1:	6D3338860E886F1369F37B37A108CEA791CC53FF
SHA-256:	F9D1D5FF573D1553140136350A2DDC34123B57D2F3CB7C06E1AAA94B84F67D43
SHA-512:	17171034E9F2244DBCAABDB7E584E73E21C02987F2C852459F3415E6F159ADC21DE3057F319AB41B31599CF37AFDB877403AA2D31AB0BD2051588D2AD09119E1
Malicious:	false
Reputation:	low
Preview:	03/10/2021 7:26 PM: Unpack: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar..03/10/2021 7:26 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno..03/10/2021 7:26 PM: Received from standard out: ..03/10/2021 7:26 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..03/10/2021 7:26 PM: Received from standard out: ..03/10/2021 7:26 PM: Received from standard out: Scanning the drive for archives:..03/10/2021 7:26 PM: Received from standard out: 1 file, 279778 bytes (274 KiB)..03/10/2021 7:26 PM: Received from standard out: ..03/10/2021 7:26 PM: Received from standard out: Extracting archive: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar..03/10/2021 7:26 PM: Received from standard out: --..03/10/2021 7:26 PM: Received from standard out: Path = C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirma

C:\Users\user\AppData\Local\Temp\~DF2C9BB23C7BCFA09B.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.33072581658132044
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwhz9lwhz9l2h9/9l2hf:kBqoxKAuvScS+hMhqh9+hchdy
MD5:	0A29AEF60C60540121952C88168E5164
SHA1:	E5143D4F3CBC2B710B87CCEDA5632854711DC97E
SHA-256:	45FF1E52784DE01B997311ADC53633CE3F5F9A0555A5AF92B42E3415428963CA
SHA-512:	413D08B319A037B67D200FCD1B182B22960476BBE6617D3C3164F639F37790575B54620BE06A329C2A0D7FC7A8C766AAC14FD54E4CEC8DCF458D7B58D4B880BA
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF77101CDF3FEF186F.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29745
Entropy (8bit):	0.3909413003770327
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laAggl7l2Y9lU:kBqoxxJhHWSVSEabljQ2y
MD5:	FCD3BF60F97D23185FBA445992E4B07C
SHA1:	B3803FAABA34AB4123944A67B3AB634EA519CE55
SHA-256:	383EB8DE303B0D86E3993A365D910FF0BFDC513BA9EB18268A46A853CA52A08F
SHA-512:	8261D6DDB2040AE80844DF183A1968497AD4723039709C36D112488204661BDBAD17A28BB6CD5C59E6225AE4EC1AC812FB73AE7CD162B2067F7D21796E5A10EF
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFA431D7639D759B21.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13109
Entropy (8bit):	0.5384947395285733
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lodaB9lodah9lWdaL9PI9Mk3MYt9ID:kBqoIdNdLdP4
MD5:	C685A2786B24624FDA8DA505FC7C6716
SHA1:	63A7BFB0B09EE6CA2F65137F89562FE706BBE1A8
SHA-256:	4DB30310B68D9BAB787450B0BC4744B2CBE92EE79D47073EEB1705C35EC6B676
SHA-512:	BC08959DCEC3821D25613B60E67DE334863365C7C757FBEB223B6D1B7D26BBE82AFDC59E47A9B43281114C80B52B449D52A2C514D1DDE5DF794CE3068188BD48
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fgha\dfgh.dat Download File
Process:	C:\Windows\SysWOW64\DpiScaling.exe
File Type:	data
Category:	dropped
Size (bytes):	619
Entropy (8bit):	6.890533373373214
Encrypted:	false
SSDEEP:	12:dNPETKwoNPETKwHcN8hu3B8ONPETKwHcN8hu8mNPETKwHcN8huMbENPETKwHcN8k:dNc2vNc2pu43WONc2pu4pNc2pu4MYNcm
MD5:	DCC0740EBCF925A53851B5060C965C67
SHA1:	324F3D8C47B0A7353470A12C005338149567F6C3
SHA-256:	B5765291773304D48A8F71A9EA626B4DEFC91A7591A3072F831C9C1CD9FD686C
SHA-512:	EFD69E1F3A8729DA9860B3D3B76B31EED5E9A95C6E88808C970251814479A97C4CC69363C6FB4DA59A7C30CE69E379A1C86272F511BA32287BA31FCAAC7F8E9D
Malicious:	false
Reputation:	low
Preview:	.9U...;..y.c....L'....H.A..D....e...L...Ev...s....9U...;..y.c....L'....H.A..D....e...L...Ev...s..../..mud..ach......0F.....\|<8{R8.. @$Y..=.F...n../\|q..B...9U...;..y.c....L'....H.A..D....e...L...Ev...s..../..mud..ach......0F.....\|<8{R8.. @$Y..=.F...n../\|q..B.....9U...;..y.c....L'....H.A..D....e...L...Ev...s..../..mud..ach......0F.....\|<8{R8.. @$Y..=.F...n../\|q..B.....@.^JO-....hx.X.(.mS2.mY...9U...;..y.c....L'....H.A..D....e...L...Ev...s..../..mud..ach......0F.....\|<8{R8.. @$Y..=.F...n../\|q..B.....@.^JO-....hx.X.(.mS2.mY....?.Er...G;4f.....b......\|^..-.-..,)....G...F.H..a.M......

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2021 19:26:08.253895044 CET	49707	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.254136086 CET	49708	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.306267977 CET	443	49707	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.306514025 CET	49707	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.306548119 CET	443	49708	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.306644917 CET	49708	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.314233065 CET	49708	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.314476013 CET	49707	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.365276098 CET	443	49707	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.365449905 CET	443	49708	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.369637966 CET	443	49708	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.369673967 CET	443	49708	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.369785070 CET	49708	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.370676994 CET	443	49707	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.370703936 CET	443	49707	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.370803118 CET	49707	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.413191080 CET	49708	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.413229942 CET	49707	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.421276093 CET	49708	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.421447039 CET	49707	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.421472073 CET	49708	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.466888905 CET	443	49707	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.467010975 CET	443	49707	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.467037916 CET	443	49707	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.467143059 CET	443	49708	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.467164040 CET	49707	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.468393087 CET	49707	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.468790054 CET	443	49708	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.468812943 CET	443	49708	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.469353914 CET	49708	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.470293045 CET	49708	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.474611044 CET	443	49707	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.474858046 CET	443	49708	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.474915028 CET	443	49708	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.475017071 CET	443	49707	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.475071907 CET	49707	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.475857973 CET	443	49708	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.476110935 CET	49708	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:08.560139894 CET	443	49707	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:08.561734915 CET	443	49708	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:24.071604013 CET	443	49708	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:24.071787119 CET	49708	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:24.803504944 CET	49709	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:24.805857897 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:24.854767084 CET	443	49709	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:24.854880095 CET	49709	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:24.856976986 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:24.857117891 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:24.957158089 CET	49709	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:24.959316015 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.009983063 CET	443	49709	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.012119055 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.012365103 CET	443	49709	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.012391090 CET	443	49709	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.012468100 CET	49709	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.012495995 CET	49709	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.015108109 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.015137911 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.015249968 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.036629915 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.046364069 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.046802998 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.052376986 CET	49709	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.053180933 CET	49709	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.087914944 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.089323997 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.089351892 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.089483023 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.093238115 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.097598076 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.097929001 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.098004103 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.103627920 CET	443	49709	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.104288101 CET	443	49709	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.104541063 CET	443	49709	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.104559898 CET	443	49709	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.104629993 CET	49709	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.110527039 CET	49709	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.138711929 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.144385099 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.163150072 CET	443	49709	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.558523893 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.558556080 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.558577061 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.558593035 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.558614016 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.558633089 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.558636904 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.558698893 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.559125900 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.559155941 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.559196949 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.559237003 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.559720039 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.559745073 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.559786081 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.559813023 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.560918093 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.560946941 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.560995102 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.561017036 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.562094927 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.562125921 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.562172890 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.562201023 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.563288927 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.563319921 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.563364029 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.563389063 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.564496994 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.564529896 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.564580917 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.564603090 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.565675020 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.565704107 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.565745115 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.565773964 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.566910982 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.566941023 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.566981077 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.567009926 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.568109035 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.568135977 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.568186045 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.568206072 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.569300890 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.569330931 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.569366932 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.569396973 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.570538044 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.570564985 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.570627928 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.570674896 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.571660042 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.571686029 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.571737051 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.571763992 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.638885975 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.638916969 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.639050961 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.639092922 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.639111996 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.639138937 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.639188051 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.639703035 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.639734030 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.639774084 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.639800072 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.640975952 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.641002893 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.641060114 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.641087055 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.642144918 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.642174006 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.642224073 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.642247915 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.643285036 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.643317938 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.643367052 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.643403053 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.644500017 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.644532919 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.644583941 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.644613028 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.645699978 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.645726919 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.645766020 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.645808935 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.646919966 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.646950960 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.646991968 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.647023916 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.648065090 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.648088932 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.648133039 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.648171902 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.649281025 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.649317026 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.649374008 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.649411917 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.650475979 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.650506973 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.650554895 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.650579929 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.651679039 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.651712894 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.651757956 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.651786089 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.652993917 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.653026104 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.653063059 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.653091908 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.654050112 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.654081106 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.654114008 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.654136896 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.655247927 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.655281067 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.655313969 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.655337095 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.656429052 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.656461954 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.656507015 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.656562090 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.657675982 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.657706976 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.657757044 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.657792091 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.658875942 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.658905983 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.658951044 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.658996105 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.660033941 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.660063982 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.660115957 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.660145044 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.661218882 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.661251068 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.661298990 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.661323071 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.662414074 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.662445068 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.662494898 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.662524939 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.663615942 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.663650036 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.663702011 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.663731098 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.664815903 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.664848089 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.664896965 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.664925098 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.666024923 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.666058064 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.666090012 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.666112900 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.667196989 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.667247057 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.667278051 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.667294025 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.756112099 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.756169081 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.756242037 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.756303072 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.756618023 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.756653070 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.756668091 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.756695032 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.757251978 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.757299900 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.757303953 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.757340908 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.758210897 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.758256912 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.758264065 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.758297920 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.759299994 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.759351969 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.759358883 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.759398937 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.762713909 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.762742043 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.762763023 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.762787104 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.762808084 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.762828112 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.762833118 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.762895107 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.763552904 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.763603926 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.763609886 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.763647079 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.764663935 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.764700890 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.764728069 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.764759064 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.765711069 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.765742064 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.765779972 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.765798092 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.766750097 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.766794920 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.766814947 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.766844034 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.767836094 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.767865896 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.767895937 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.767923117 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.768903017 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.768951893 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.768958092 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.769299030 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.769979000 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.770024061 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.770034075 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.770061016 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.771049023 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.771080017 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.771105051 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.771147013 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.772120953 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.772154093 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.772178888 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.772203922 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.773205042 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.773235083 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.773272038 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.773293018 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.774266958 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.774298906 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.774339914 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.774359941 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.775333881 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.775363922 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.775388956 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.775408030 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.776427984 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.776458025 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.776487112 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.776514053 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.779330015 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.779356956 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.779396057 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.779396057 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.779421091 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.779439926 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.779448032 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.779486895 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.779644966 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.779686928 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.779690981 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.779741049 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.780766964 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.780832052 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.780952930 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.781011105 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.781861067 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.781913996 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.781918049 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.781963110 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.782891989 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.782952070 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.782969952 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.783009052 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.783999920 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.784082890 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.784085035 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.784138918 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.785062075 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.785115957 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.785129070 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.785156012 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.808795929 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.808826923 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.808939934 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.809097052 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.809113979 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.809169054 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.810203075 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.810230970 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.810270071 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.810322046 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.811247110 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.811274052 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.811306953 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.811340094 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.812356949 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.812386990 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.812442064 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.812467098 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.813430071 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.813456059 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.813491106 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.813515902 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.814477921 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.814506054 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.814537048 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.814563990 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.815531015 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.815557003 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.815597057 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.815624952 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.816596985 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.816625118 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.816657066 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.816680908 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.817677975 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.817718983 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.817748070 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.817781925 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.818758965 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.818784952 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.818820000 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.818856001 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.819822073 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.819860935 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.819880962 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.819910049 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.821607113 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.821640015 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.821675062 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.821727991 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.821944952 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.821980000 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.821994066 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.822019100 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.823038101 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.823065042 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.823096991 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.823128939 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.824101925 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.824129105 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.824166059 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.824202061 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.825184107 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.825212002 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.825242043 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.825377941 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.826252937 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.826282978 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.826308966 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.826340914 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.827307940 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.827346087 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.827368021 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.827399015 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.828449965 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.828480959 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.828528881 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.828547001 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.829442978 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.829469919 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.829513073 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.829531908 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.830519915 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.830547094 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.830586910 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.830620050 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.831654072 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.831682920 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.831734896 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.831756115 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.832712889 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.832741022 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.832784891 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.832807064 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.833762884 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.833790064 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.833848953 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.833867073 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.834820032 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.834850073 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.834878922 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.834918022 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.835881948 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.835910082 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.835943937 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.835963011 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.836916924 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.836944103 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.836992979 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.837012053 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.837924004 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.837951899 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.837995052 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.838013887 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.838901997 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.838929892 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.838967085 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.838989973 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.839915991 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.839945078 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.839968920 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.839992046 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.840816975 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.840843916 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.840873957 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.840900898 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.841798067 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.841828108 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.841861963 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.841893911 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.842781067 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.842808962 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.842849016 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.842892885 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.843770027 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.843797922 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.843835115 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.843864918 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.844762087 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.844789028 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.844825983 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.844849110 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.845689058 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.845712900 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.845747948 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.845772982 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.846684933 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.846712112 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.846743107 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.846766949 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.847629070 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.847654104 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.847690105 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.847708941 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.848571062 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.848598003 CET	443	49710	172.67.153.148	192.168.2.5
Mar 10, 2021 19:26:25.848644972 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:25.848664999 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:47.165507078 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:47.320415974 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.320600033 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:47.363534927 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:47.518457890 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.523580074 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.523634911 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.523758888 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:47.523811102 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:47.524053097 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.524141073 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:47.648854971 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:47.806353092 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.806466103 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:47.833461046 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:47.993747950 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.993767977 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.993791103 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.993868113 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:47.993951082 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.994021893 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:47.994035006 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.994127035 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:47.994213104 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.994270086 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.994311094 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:47.994363070 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.994446039 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:47.994508982 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.994582891 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:47.994724989 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.150588036 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.150612116 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.150634050 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.150688887 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.150758028 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.150769949 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.150806904 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.151130915 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.151232004 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.151290894 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.151352882 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.151359081 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.151417017 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.151449919 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.151515961 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.151803017 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.151849985 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.151952982 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.151999950 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.152024984 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.152086020 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.152163982 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.152209997 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.152242899 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.152304888 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.152390957 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.152493000 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.152559042 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.152606010 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.152704000 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.152740955 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.152790070 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.152836084 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.152928114 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.152978897 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.153059006 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.153059959 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.153201103 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.307195902 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.307248116 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.307292938 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.307347059 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.307391882 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.307488918 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.307543993 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.307558060 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.307600021 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.307648897 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.307727098 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.307821989 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.307852030 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.307961941 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.308049917 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.308126926 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.308136940 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.308243990 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.308245897 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.308358908 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.308427095 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.308439016 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.308564901 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.308579922 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.308659077 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.308676004 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.308773041 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.308856964 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.308887959 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.308959961 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.309006929 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.309087992 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.309113026 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.309170008 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.309223890 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.309528112 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.309580088 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.309667110 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.309693098 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.309760094 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.309820890 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.309927940 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.309978008 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.310046911 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.310085058 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.310158014 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.310185909 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.310240030 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.310313940 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.310422897 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.310455084 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.310524940 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.310534000 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.310579062 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.310646057 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.310728073 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.310785055 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.310866117 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.310893059 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.310972929 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.311038971 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.311307907 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.311341047 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.311386108 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.311405897 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.311414957 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.311451912 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.311492920 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.311522007 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.311647892 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.312666893 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.312712908 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.312786102 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.462583065 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.462608099 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.462660074 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.462680101 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.462722063 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.462774038 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.462878942 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.462927103 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.463021040 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.463124037 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.463170052 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.463211060 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.463229895 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.463287115 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.463382006 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.463427067 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.463479042 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.463546991 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.463594913 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.463639975 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.463732004 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.463849068 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.464054108 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.464170933 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.464226007 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.464273930 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.464286089 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.464349031 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.464382887 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.464458942 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.464502096 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.464595079 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.464629889 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.464675903 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.464742899 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.464862108 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.464910984 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.464970112 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.465056896 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.465114117 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.465162039 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.465215921 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.465332031 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.465399981 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.465434074 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.465549946 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.465589046 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.465614080 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.465645075 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.465711117 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.465759039 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.465867996 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.465899944 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.465920925 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.466001987 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.466079950 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.466114044 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.466238976 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.466269970 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.466336966 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.466428041 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.466439962 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.466473103 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.466569901 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.466667891 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.466696024 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.466742039 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.466793060 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.466914892 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.466962099 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.467022896 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.467098951 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.467108011 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.467227936 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.467238903 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.467263937 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.467400074 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.467504978 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.467530966 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.467557907 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.467597008 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.467688084 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.467705011 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.467734098 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.467803955 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.467961073 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.467963934 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.468029976 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.468039989 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.468075991 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.468108892 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.468257904 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.468266964 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.468291998 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.468377113 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.468517065 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.468524933 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.468554974 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.468583107 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.468714952 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.468724012 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.468751907 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.469121933 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.469172955 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.469192982 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.469278097 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.469326019 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.469449997 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.469510078 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.469532013 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.469566107 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.469644070 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.469759941 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.469819069 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.469887972 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.470014095 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.470496893 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.470571041 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.470650911 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.470674038 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.470817089 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.470824003 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.470864058 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.471251965 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.471277952 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.471358061 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.471369028 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.471426964 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.471513033 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.471623898 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.471657038 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.471678019 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.471710920 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.471767902 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.471880913 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.472002983 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.472014904 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.472043991 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.472089052 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.472193003 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.472242117 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.472311020 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.472373009 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.472418070 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.472537041 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.472656965 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.472733021 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.472933054 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.618232012 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.618264914 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.618343115 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.618372917 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.618391037 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.618422031 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.618448973 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.619029045 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.619081020 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.619162083 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.619240999 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.619347095 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.619405985 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.619581938 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.619690895 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.619713068 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.619750023 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.619786978 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.619843960 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.619883060 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.619936943 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.619993925 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.620135069 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.620166063 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.620203972 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.620513916 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.620630980 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.620640993 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.620699883 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.620738983 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.620820045 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.620887995 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.620976925 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.621061087 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.621129036 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.621660948 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.621781111 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.621849060 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.621912956 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.621974945 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.622039080 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.622102022 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.622356892 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.622473955 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.622533083 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.622590065 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.622659922 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.622731924 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.622823000 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.622939110 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.623068094 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.623095989 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.623120070 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.623140097 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.623208046 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.623251915 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.623301983 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.623372078 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.623528957 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.623538971 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.623603106 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.623610973 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.623662949 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.623723984 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.623812914 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.623868942 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.623933077 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.623984098 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.624048948 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.624171972 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.624229908 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.624347925 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.624423027 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.624483109 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.624547005 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.624617100 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.624649048 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.624696016 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.624742031 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.624908924 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.624937057 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.624977112 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.625005960 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.625596046 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.625705957 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.625721931 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.625758886 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.625811100 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.625859976 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.625922918 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.626096010 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.626538038 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.626651049 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.626739979 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.626756907 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.626841068 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.626902103 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.627487898 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.627573967 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.627593994 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.627635002 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.627681971 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.627808094 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.627872944 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.627933025 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.628011942 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.628037930 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.628087044 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.628118992 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.628298998 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.628329039 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.628366947 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.628407955 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.628459930 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.628530979 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.628573895 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.628596067 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.628642082 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.629162073 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.629193068 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.629210949 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.629229069 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.629234076 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.629254103 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.629272938 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.629275084 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.629303932 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.629354000 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.629582882 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.629617929 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.629687071 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.629878044 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.629899979 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.629925013 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.629941940 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.629964113 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.630002975 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.630068064 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.630125999 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.630208015 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.630292892 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.630328894 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.630352974 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.630445004 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.630501986 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.630507946 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.630635977 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.630690098 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.630731106 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.630786896 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.630840063 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.630966902 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.631019115 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.631067991 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.631123066 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.631222010 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.631366968 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.631577969 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.631663084 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.631715059 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.631778955 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.631908894 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.631963015 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.632507086 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.632592916 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.632647991 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.632745028 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.632847071 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.632899046 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.632953882 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.633052111 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.633101940 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.633203030 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.633271933 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.633322001 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.633413076 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.633569956 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.633620977 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.633625031 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.633711100 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.633889914 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.633912086 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.633965969 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.634001017 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.634056091 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.634140968 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.634215117 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.634262085 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.634335995 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.634418964 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.634469032 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.634527922 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.634605885 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.634660006 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.634780884 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.634835005 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.634939909 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.634996891 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.635046959 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.635180950 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.635231972 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.635533094 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.635554075 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.635576963 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.635595083 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.635605097 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.635639906 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.635674000 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.635761023 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.635768890 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.635902882 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.635957956 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.636013985 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.636064053 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.636159897 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.636240959 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.636265039 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.636296034 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.636379957 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.636432886 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.636482954 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.636600018 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.636648893 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.636745930 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.636842966 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.636894941 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.636948109 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.637098074 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.637146950 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.637176037 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.637232065 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.637264967 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.637316942 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.637368917 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.637485027 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.637501001 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.637536049 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.637600899 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.637753010 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.637804031 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.637818098 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.637882948 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.638142109 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.638196945 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.638243914 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.638257980 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.638274908 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.638304949 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.638467073 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.638473034 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.638489008 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.638545036 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.638660908 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.638714075 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.638751984 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.638804913 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.638876915 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.639012098 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.639027119 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.639060974 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.639123917 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.639173985 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.639183998 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.639281988 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.639333010 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.639427900 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.639542103 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.639594078 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.639628887 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.639703035 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.639759064 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.639863014 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.639914989 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.773472071 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.773490906 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.773627996 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.773662090 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.773744106 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.773819923 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.774075985 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.774152994 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.774194002 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.774269104 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.774291039 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.774393082 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.774424076 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.774440050 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.774550915 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.774621964 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.774652004 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.774693012 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.774739027 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.774889946 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.774892092 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.774940014 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.774945974 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.775105953 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.775115013 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.775171041 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.775188923 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.775351048 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.775408983 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.775454044 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.775511980 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.775517941 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.775553942 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.775633097 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.775715113 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.775808096 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.775907993 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.775957108 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.776015997 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.776134968 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.776185036 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.776216030 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.776349068 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.776400089 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.776437998 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.776582956 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.776654959 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.776669025 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.776727915 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.776758909 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.776896954 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.776952028 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.776979923 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.777118921 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.777170897 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.777221918 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.777311087 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.777353048 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.777463913 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.777515888 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.777587891 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.777704954 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.777755976 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.777832031 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.778153896 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.778178930 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.778197050 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.778212070 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.778239012 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.778271914 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.778384924 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.778434992 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.778460979 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.778588057 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.778636932 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.778695107 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.778804064 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.778852940 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.778986931 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.779108047 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.779151917 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.779159069 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.779192924 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.779551983 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.779664040 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.779731035 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.779789925 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.779854059 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.779905081 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.780023098 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.780067921 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.780117035 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.780226946 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.780330896 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.780379057 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.780461073 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.780592918 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.780637026 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.780658960 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.780767918 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.780812025 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.780849934 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.780996084 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.781039000 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.781095982 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.781249046 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.781295061 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.781358004 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.781440973 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.781492949 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.781533003 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.781663895 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.781714916 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.781784058 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.781888962 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.781932116 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.782001019 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.782110929 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.782156944 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.782224894 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.782382965 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.782426119 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.782454967 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.782583952 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.782627106 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.782658100 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.782790899 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.782835960 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.782902956 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.783058882 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.783106089 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.783139944 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.783220053 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.783238888 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.783343077 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.783373117 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.783447027 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.783497095 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.783601999 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.783649921 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.783757925 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.783807039 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.783854961 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.783987999 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.784081936 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.784127951 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.784179926 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.784251928 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.784301043 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.784424067 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.784509897 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.784558058 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.784625053 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.784802914 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.784849882 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.784874916 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.784950972 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.784991980 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.785053968 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.785160065 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.785206079 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.785351992 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.785425901 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.785471916 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.785494089 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.785620928 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.785665989 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.785722971 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.785868883 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.785912037 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.785979986 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.786088943 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.786135912 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.786223888 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.786305904 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.786353111 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.786458015 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.786541939 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.786587954 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.786654949 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.786741018 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.786786079 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.786871910 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.786989927 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.787036896 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.787075043 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.787317038 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.787365913 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.787379980 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.787468910 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.787513971 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:48.787605047 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.787617922 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:48.787657976 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:50.149722099 CET	49707	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:50.150007963 CET	49708	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:50.150154114 CET	49710	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:50.150224924 CET	49709	443	192.168.2.5	172.67.153.148
Mar 10, 2021 19:26:53.625915051 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:53.625942945 CET	443	49717	72.249.68.209	192.168.2.5
Mar 10, 2021 19:26:53.626029015 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:26:53.626060009 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:27:06.736376047 CET	49717	443	192.168.2.5	72.249.68.209
Mar 10, 2021 19:27:07.653321028 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:08.021202087 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:08.021333933 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:08.047069073 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:08.432882071 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:08.532898903 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:08.902640104 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:08.911890030 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:09.320308924 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:09.320451975 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:09.720136881 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:09.758371115 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:10.168498993 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:14.722832918 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:14.750004053 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:15.156429052 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:19.726843119 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:19.729583025 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:20.137629986 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:24.730843067 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:24.735707998 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:25.143896103 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:29.732498884 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:29.735796928 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:30.142784119 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:34.736103058 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:34.738574982 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:35.146960974 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:39.738878012 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:39.744841099 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:40.151818991 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:44.741712093 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:44.744162083 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:45.163641930 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:49.744956017 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:49.749522924 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:50.155920029 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:53.801570892 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:53.849210978 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:53.994739056 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:54.363224983 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:54.363544941 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:54.377774954 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:54.748184919 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:54.751898050 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:54.759300947 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:54.802443027 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:55.158531904 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.170533895 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.184813023 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:55.194369078 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:55.558934927 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.559200048 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:55.562829971 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.562866926 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.562992096 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:55.563266993 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.563285112 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.563406944 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:55.925843954 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.926075935 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:55.929078102 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.929239035 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:55.943214893 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.943236113 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.943243027 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.943362951 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:55.943440914 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:55.943758011 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.943770885 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.943862915 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:55.943912029 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:55.944963932 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.945084095 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:55.952068090 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:55.952184916 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:55.992294073 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.293566942 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.293935061 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.296057940 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.297640085 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.323328018 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.323422909 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.323967934 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.324317932 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.324748993 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.326477051 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.326504946 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.336649895 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.337214947 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.337852001 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.337873936 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.338567019 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.376110077 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.430078030 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.474761963 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:56.578191042 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:56.581552029 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:56.586745977 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:56.590437889 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:56.593466997 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:56.946059942 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.946588039 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.948120117 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.948546886 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.950068951 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.950124979 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.950246096 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.961330891 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.961920023 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.962066889 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.962461948 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.962665081 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.963501930 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.974165916 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.974189043 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.974555016 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.975529909 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.976036072 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.976802111 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.977364063 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.986639023 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.986705065 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.987248898 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.987762928 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.988158941 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.988749981 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.999169111 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.999191046 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.999202967 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.999214888 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.999387980 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:56.999401093 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.073709965 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.130709887 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:57.186008930 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:57.189152002 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:57.192436934 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:57.195930958 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:57.199219942 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:57.554797888 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.554828882 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.554836988 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.556070089 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.556646109 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.557156086 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.557368040 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.570188999 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.571093082 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.571228981 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.571249008 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.571661949 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.572258949 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.580018997 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.580045938 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.580054045 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.580066919 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.580075026 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.580082893 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.580091000 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.581695080 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.581710100 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.581717014 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.581726074 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.581975937 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.581990957 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.586273909 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.586611032 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.586633921 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.586647987 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.587032080 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.587053061 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.654254913 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:57.708894014 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:57.747369051 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:57.749923944 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:57.752445936 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:57.754971981 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:57.758196115 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:58.119442940 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.119471073 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.119883060 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.120471954 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.121249914 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.121953964 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.122983932 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.136611938 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.137113094 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.137800932 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.137830973 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.138143063 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.138219118 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.141201973 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.141982079 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.142016888 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.142043114 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.142067909 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.142102003 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.142132998 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.146305084 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.146327972 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.146341085 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.146358013 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.146367073 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.146569014 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.147831917 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.147855997 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.147871971 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.147886038 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.147938013 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.148466110 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.221239090 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.271460056 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:58.309554100 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:58.312277079 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:58.314801931 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:58.317316055 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:58.319834948 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:58.677508116 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.680964947 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.681557894 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.681978941 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.682004929 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.683013916 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.683693886 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.695550919 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.696296930 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.696897030 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.697200060 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.697441101 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.697909117 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.701453924 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.701472044 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.701488972 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.701503992 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.701519012 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.701534033 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.701669931 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.703643084 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.703665972 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.703677893 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.703690052 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.703701019 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.703720093 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.705111980 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.705127954 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.705147028 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.705164909 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.705687046 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.705705881 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.776231050 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:58.818325043 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:59.142988920 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:59.146260023 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:59.149769068 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:59.153038979 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:59.156630993 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:59.511131048 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.511158943 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.511549950 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.511785030 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.512614965 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.513056040 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.513835907 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.520677090 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.520709991 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.520720005 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.520735979 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.520754099 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.520770073 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.525181055 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.525214911 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.525232077 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.525270939 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.525286913 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.525301933 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.525355101 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.526468039 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.526500940 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.526518106 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.526963949 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.526988983 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.527007103 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.527503967 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.527529001 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.528033972 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.528193951 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.528212070 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.528230906 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.597558022 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.646574974 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:59.751007080 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:27:59.792859077 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:27:59.971668005 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:00.031883955 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:00.034451962 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:00.037578106 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:00.040908098 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:00.044172049 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:00.381064892 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.402097940 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.402671099 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.402684927 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.402774096 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.403390884 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.403414965 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.404028893 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.415957928 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.416533947 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.417622089 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.418010950 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.418515921 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.418623924 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.420514107 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.420795918 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.421200037 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.421214104 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.421235085 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.421247959 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.421262980 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.423157930 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.423173904 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.423513889 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.423523903 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.423541069 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.423841953 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.425662041 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.425795078 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.425806999 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.425859928 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.425870895 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.426023960 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.492958069 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:00.537414074 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:01.175935030 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:01.181341887 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:01.185828924 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:01.191034079 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:01.191093922 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:01.541474104 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.541502953 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.541511059 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.541518927 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.541531086 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.541733027 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.546956062 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.546993017 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.547003984 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.547019005 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.547029972 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.547039986 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.547050953 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.550488949 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.550692081 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.550712109 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.551260948 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.551284075 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.551299095 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.555058002 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.555804014 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.558768988 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.558811903 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.559052944 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.560136080 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.560170889 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.560185909 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.560198069 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.560213089 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.560225964 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.560269117 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.560281992 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.627664089 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:01.678033113 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:01.901267052 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:01.904325962 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:01.907010078 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:01.910530090 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:01.913512945 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:02.270308018 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.270395994 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.270495892 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.274199963 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.274221897 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.274678946 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.275671005 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.288052082 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.288321018 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.289546967 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.289906979 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.290534019 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.290553093 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.300055027 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.300198078 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.300642967 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.301148891 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.301419020 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.301556110 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.302010059 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.313465118 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.313497066 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.314601898 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.314636946 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.315545082 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.315642118 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.327524900 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.328273058 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.328746080 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.329088926 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.329739094 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.330019951 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.405397892 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:02.459230900 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:03.460464001 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:03.464219093 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:03.468589067 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:03.472198963 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:03.474108934 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:03.829333067 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.830297947 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.830941916 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.832382917 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.834845066 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.834875107 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.836074114 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.843585014 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.844012022 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.844084978 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.844852924 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.844885111 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.845824957 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.855904102 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.855940104 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.856659889 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.856792927 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.858130932 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.858153105 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.858376026 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.860415936 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.860440016 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.860451937 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.860872984 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.860892057 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.860904932 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.865434885 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.865454912 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.865466118 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.865478039 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.865490913 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.865499020 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.931288958 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:03.994127989 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:04.076565981 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:04.080401897 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:04.083738089 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:04.083812952 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:04.086930037 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:04.444436073 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.444452047 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.444879055 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.445348978 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.445827007 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.446363926 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.446383953 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.458858013 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.460838079 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.460860968 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.460875988 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.460927963 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.461297989 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.471318007 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.472065926 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.472502947 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.472819090 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.472893953 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.473378897 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.474216938 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.484761953 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.485107899 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.485989094 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.486016989 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.486984968 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.487371922 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.496680021 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.496778011 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.497263908 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.498229980 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.498505116 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.498946905 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.596550941 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.646965027 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:04.698218107 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:04.701467991 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:04.704668999 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:04.707830906 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:04.711175919 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:04.754563093 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:04.769088984 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:05.070131063 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.070334911 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.070457935 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.071440935 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.071464062 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.072345018 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.072817087 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.084758997 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.085052013 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.085707903 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.086829901 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.087095022 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.087654114 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.100421906 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.101402998 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.101906061 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.102380037 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.102942944 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.103539944 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.103894949 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.114017010 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.114742994 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.115123034 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.115140915 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.115156889 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.116044044 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.120606899 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.120630026 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.120645046 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.120666981 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.120855093 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.120965004 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.176513910 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.683063030 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:05.725169897 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:05.811307907 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:05.814341068 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:05.817347050 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:05.820801973 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:05.824163914 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:06.177179098 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.177200079 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.177208900 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.177220106 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.177490950 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.177504063 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.178508997 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.185086966 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.185338974 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.186037064 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.186625957 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.187190056 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.188041925 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.202450991 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.202996016 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.203818083 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.204133034 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.204621077 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.205044985 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.205063105 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.214700937 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.215533972 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.216844082 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.216856003 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.218317032 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.219527960 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.227030993 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.227407932 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.227924109 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.228450060 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.229216099 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.229309082 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.307789087 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.350255966 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:06.415111065 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:06.418320894 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:06.421619892 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:06.424884081 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:06.428030014 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:06.785192013 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.785226107 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.787039995 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.787074089 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.787800074 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.787832022 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.788575888 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.799086094 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.800431013 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.800718069 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.800970078 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.801470041 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.803245068 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.812585115 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.812598944 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.813153028 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.814307928 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.814734936 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.814753056 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.815452099 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.825550079 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.825562954 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.826617956 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.826633930 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.827775955 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.827792883 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.837251902 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.837363958 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.838396072 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.838404894 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.838895082 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.838902950 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.937490940 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:06.990909100 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:07.023421049 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:07.025899887 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:07.028736115 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:07.031250000 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:07.033669949 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:07.394536972 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.395353079 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.395376921 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.395694017 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.396507978 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.396529913 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.397973061 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.408479929 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.408509016 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.409482956 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.410741091 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.410778999 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.411729097 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.421097994 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.422224998 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.422251940 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.423217058 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.423240900 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.423306942 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.424055099 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.433183908 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.433449984 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.433518887 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.434288979 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.435211897 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.435234070 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.445651054 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.446361065 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.446391106 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.446729898 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.446757078 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.449558973 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.534584045 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:07.584773064 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:07.647757053 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:07.650578022 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:07.653740883 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:07.656517029 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:07.659228086 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:08.016931057 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.017771006 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.018416882 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.018440008 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.019545078 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.020427942 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.020448923 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.031055927 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.031431913 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.034218073 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.034486055 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.034504890 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.034516096 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.043135881 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.043155909 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.044222116 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.044404984 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.045170069 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.045186996 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.045949936 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.054852962 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.055432081 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.055903912 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.056586981 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.056699991 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.057785034 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.065809011 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.066165924 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.066793919 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.066814899 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.067260027 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.067497015 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.178495884 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.225570917 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:08.571660042 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:08.575088978 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:08.578496933 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:08.581458092 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:08.583697081 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:08.939722061 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.940104008 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.940932989 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.941287041 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.942053080 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.942456007 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.943274021 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.953855038 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.953875065 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.954929113 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.955749035 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.955878973 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.956814051 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.966106892 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.966363907 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.966936111 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.968346119 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.968534946 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.968962908 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.969531059 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.979917049 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.979938030 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.980087996 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.981184959 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.981198072 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.981487989 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.991887093 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.992315054 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.992743015 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.993099928 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.993745089 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:08.993762016 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.062980890 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.116111994 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:09.149193048 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:09.152415991 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:09.155790091 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:09.159210920 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:09.162375927 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:09.517995119 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.518768072 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.518781900 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.518795013 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.520962954 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.521058083 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.521133900 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.532546043 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.533174038 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.535162926 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.535218000 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.535852909 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.535976887 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.545046091 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.545069933 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.545312881 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.545804024 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.546231031 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.546420097 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.547190905 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.556020975 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.557241917 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.557758093 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.558037043 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.558936119 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.559473038 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.567442894 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.567713022 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.568205118 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.568964958 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.569369078 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.570600033 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.660444021 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.709902048 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:09.757220984 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:09.759922028 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:09.760168076 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:09.766016960 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:09.770152092 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:09.773639917 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:09.776072979 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:10.147548914 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:10.160104036 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.160144091 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.160213947 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.162798882 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.162858963 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.162905931 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.162938118 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163013935 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163146019 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163165092 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163181067 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163247108 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163280964 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163367033 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163458109 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163491011 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163551092 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163590908 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163619041 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163640976 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163742065 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163816929 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163844109 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163901091 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163933039 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163964033 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.163990021 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.164048910 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.164072990 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.164108038 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.164138079 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.164166927 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.169404030 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.229978085 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.272450924 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:10.352785110 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:10.356100082 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:10.359338999 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:10.362644911 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:10.365623951 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:10.513714075 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.721076965 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.721461058 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.721977949 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.722824097 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.723017931 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.724098921 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.724658966 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.737320900 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.737355947 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.737368107 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.738068104 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.738123894 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.738884926 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.748825073 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.748980999 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.749423027 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.749942064 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.750437021 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.750835896 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.751019955 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.761893988 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.762490034 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.762507915 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.763340950 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.764070988 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.764094114 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.774646044 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.775120974 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.775788069 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.775810003 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.776813984 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.777403116 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.878885031 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:10.928713083 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:11.020229101 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:11.023392916 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:11.027319908 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:11.029995918 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:11.032429934 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:11.381864071 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:11.389466047 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.389719963 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.390470028 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.390486002 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.391819000 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.393618107 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.393632889 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.403980970 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.404041052 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.404714108 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.405376911 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.405999899 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.406367064 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.416981936 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.417012930 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.417633057 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.417654037 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.418165922 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.418849945 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.419368029 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.428966999 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.429481030 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.430115938 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.430370092 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.430907011 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.430926085 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.431917906 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.441783905 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.442025900 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.442404032 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.443177938 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.443191051 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.443746090 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.558653116 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:11.600605965 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:11.674649954 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:11.679658890 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:11.683000088 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:11.686924934 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:11.691376925 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:11.746835947 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.038140059 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:12.044405937 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.044454098 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.044492006 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.044522047 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.044548035 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.045866966 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.045932055 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.056607962 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.057048082 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.057529926 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.057548046 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.057821989 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.058711052 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.068857908 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.069031954 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.069576979 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.069969893 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.070705891 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.071341991 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.072952032 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.079153061 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.079662085 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.079678059 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.079688072 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.080250025 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.080276966 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.082123995 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.082159996 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.082170963 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.082179070 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.082448959 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.082982063 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.151859045 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.194416046 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:12.238917112 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:12.242443085 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:12.244949102 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:12.248522043 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:12.251653910 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:12.403976917 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.609525919 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.609570980 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.610433102 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.615288973 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.615303993 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.615762949 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.615859985 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.626221895 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.626497030 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.626526117 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.626538992 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.626549006 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.626559973 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.637942076 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.637962103 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.637973070 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.640047073 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.641031027 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.641865015 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.641882896 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.651388884 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.651407957 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.652518034 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.653512001 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.654206991 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.654220104 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.661365986 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.661398888 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.661412001 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.661473036 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.662355900 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.662513971 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.727401972 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:12.788223028 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:12.882599115 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:12.885929108 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:12.889156103 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:12.893462896 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:12.896542072 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:13.151989937 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.152062893 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:13.252835035 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.252854109 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.252863884 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.253609896 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.254904032 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.255234957 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.256644964 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.265422106 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.265651941 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.266227961 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.267318010 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.267561913 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.267792940 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.277503967 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.277661085 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.278094053 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.278616905 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.279221058 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.280503988 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.281003952 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.291198969 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.291219950 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.292433977 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.292680979 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.293268919 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.294254065 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.302124023 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.302695036 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.303286076 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.303792000 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.304537058 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.305094004 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.385448933 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.428913116 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:13.464566946 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:13.467189074 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:13.470978022 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:13.472840071 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:13.475702047 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:13.833643913 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.834534883 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.834785938 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.834814072 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.836297989 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.836675882 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.837094069 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.849093914 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.849773884 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.850658894 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.851655006 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.852122068 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.852180004 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.862143040 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.863389969 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.863419056 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.863936901 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.864418030 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.864552021 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.865490913 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.875654936 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.876149893 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.876405954 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.877511024 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.877549887 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.877564907 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.889143944 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.889173031 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.889563084 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.890346050 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.891170025 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.891311884 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:13.980432987 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.022768021 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:14.077513933 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:14.082962990 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:14.086708069 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:14.090650082 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:14.095891953 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:14.445944071 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.446732044 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.448736906 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.448992968 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.449932098 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.450463057 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.450484037 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.460350037 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.460386038 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.460477114 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.462007999 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.462035894 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.463028908 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.471899033 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.471935034 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.472033978 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.473284960 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.473715067 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.474766016 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.475023985 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.483659029 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.483957052 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.484688044 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.485344887 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.486270905 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.486404896 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.497199059 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.497435093 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.497453928 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.497811079 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.497838974 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.497951031 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.581804037 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.632100105 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:14.666549921 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:14.670722008 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:14.674551964 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:14.677697897 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:14.682148933 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:14.759403944 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:14.760004997 CET	49722	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:15.036940098 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.036972046 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.037050009 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.038109064 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.038460016 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.039215088 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.039858103 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.049218893 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.049731016 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.050292015 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.051412106 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.051438093 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.052282095 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.061188936 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.061660051 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.062668085 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.063103914 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.063267946 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.064224005 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.064249039 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.074099064 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.074517965 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.077810049 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.078351021 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.078453064 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.078517914 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.089077950 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.089108944 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.089126110 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.089683056 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.089822054 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.090080976 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.170377970 CET	9144	49722	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.215605021 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.257164001 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:15.295413017 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:15.298641920 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:15.301896095 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:15.305063009 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:15.307923079 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:15.663475037 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:15.664277077 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.664381981 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.665564060 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.665827036 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.666271925 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.667207956 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.667756081 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.678092957 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.679394960 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.679413080 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.679574966 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.680438995 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.681001902 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.690956116 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.692653894 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.693362951 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.694303989 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.694320917 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.694600105 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.695406914 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.704570055 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.704852104 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.705054998 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.705069065 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.705548048 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.705966949 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.716044903 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.716528893 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.716717005 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.717462063 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.718384981 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.718475103 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.817274094 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:15.866596937 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:15.918765068 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:15.924313068 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:15.927359104 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:15.931721926 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:15.935698986 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:16.028914928 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.287513018 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.287779093 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.287830114 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.288007975 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.288458109 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.289472103 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.290744066 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.301659107 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.301692963 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.302407026 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.302526951 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.302866936 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.303622961 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.314255953 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.314640999 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.315640926 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.316129923 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.316597939 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.317457914 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.317975998 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.326606989 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.327333927 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.327382088 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.327502012 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.328295946 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.329027891 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.340265989 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.341209888 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.341357946 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.342338085 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.342844009 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.343033075 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.439780951 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.491669893 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:16.555087090 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:16.562465906 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:16.565123081 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:16.568430901 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:16.571877956 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:16.858089924 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.858370066 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:16.923332930 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.923365116 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.923966885 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.924639940 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.925035000 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.930998087 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.931022882 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.941899061 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.941973925 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.942395926 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.943057060 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.945147991 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.945169926 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.961595058 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.961613894 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.961632013 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.961651087 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.961673021 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.961697102 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.962086916 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.962104082 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.962124109 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.962143898 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.962522030 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.962544918 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.962560892 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.964529991 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.964569092 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.964591980 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.964612961 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.964634895 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:16.964723110 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.033370018 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.085525990 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:17.101733923 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:17.105423927 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:17.108865023 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:17.111963034 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:17.114752054 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:17.449980974 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.450067043 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:17.472404003 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.473054886 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.473654032 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.475228071 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.475725889 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.476121902 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.477586031 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.490092993 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.490132093 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.490788937 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.491168022 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.491249084 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.491892099 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.502801895 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.503106117 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.503127098 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.504170895 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.504411936 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.504622936 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.504847050 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.516252041 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.516825914 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.517673016 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.517851114 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.518050909 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.519937992 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.530194044 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.530704021 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.531548023 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.532021046 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.532782078 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.533061981 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.607158899 CET	9144	49731	199.249.223.130	192.168.2.5
Mar 10, 2021 19:28:17.648036003 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:18.064333916 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:18.066953897 CET	49731	9144	192.168.2.5	199.249.223.130
Mar 10, 2021 19:28:18.069506884 CET	49731	9144	192.168.2.5	199.249.223.130

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2021 19:25:58.924072981 CET	64344	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:25:58.975661039 CET	53	64344	8.8.8.8	192.168.2.5
Mar 10, 2021 19:25:59.868077040 CET	62060	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:25:59.931866884 CET	53	62060	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:07.006295919 CET	61805	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:07.067038059 CET	53	61805	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:08.183629990 CET	54795	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:08.243592024 CET	53	54795	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:24.703665018 CET	49557	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:24.769932032 CET	53	49557	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:28.602478027 CET	61733	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:28.667464018 CET	53	61733	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:35.194241047 CET	65447	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:35.243252039 CET	53	65447	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:37.046111107 CET	52441	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:37.095196962 CET	53	52441	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:37.740400076 CET	62176	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:37.789302111 CET	53	62176	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:38.051973104 CET	52441	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:38.100847006 CET	53	52441	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:38.758980989 CET	62176	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:38.816407919 CET	53	62176	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:39.068543911 CET	52441	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:39.119992971 CET	53	52441	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:39.787539005 CET	62176	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:39.836844921 CET	53	62176	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:41.083333969 CET	52441	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:41.132054090 CET	53	52441	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:42.075345039 CET	62176	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:42.132795095 CET	53	62176	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:42.871146917 CET	59596	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:42.923088074 CET	53	59596	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:45.098339081 CET	52441	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:45.160845995 CET	53	52441	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:46.083055019 CET	62176	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:46.131923914 CET	53	62176	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:46.958883047 CET	65296	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:47.141330004 CET	53	65296	8.8.8.8	192.168.2.5
Mar 10, 2021 19:26:54.632359982 CET	63183	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:26:54.689886093 CET	53	63183	8.8.8.8	192.168.2.5
Mar 10, 2021 19:27:00.343125105 CET	60151	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:27:00.391769886 CET	53	60151	8.8.8.8	192.168.2.5
Mar 10, 2021 19:27:07.336209059 CET	56969	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:27:07.557770014 CET	53	56969	8.8.8.8	192.168.2.5
Mar 10, 2021 19:27:13.469880104 CET	55161	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:27:13.532330036 CET	53	55161	8.8.8.8	192.168.2.5
Mar 10, 2021 19:27:14.855612993 CET	54757	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:27:14.904362917 CET	53	54757	8.8.8.8	192.168.2.5
Mar 10, 2021 19:27:34.462219954 CET	49992	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:27:34.535068035 CET	53	49992	8.8.8.8	192.168.2.5
Mar 10, 2021 19:27:36.143882990 CET	60075	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:27:36.192972898 CET	53	60075	8.8.8.8	192.168.2.5
Mar 10, 2021 19:28:06.817747116 CET	55016	53	192.168.2.5	8.8.8.8
Mar 10, 2021 19:28:06.866482019 CET	53	55016	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 10, 2021 19:26:08.183629990 CET	192.168.2.5	8.8.8.8	0xc3be	Standard query (0)	www.sendspace.com	A (IP address)	IN (0x0001)
Mar 10, 2021 19:26:24.703665018 CET	192.168.2.5	8.8.8.8	0xfa14	Standard query (0)	fs03n1.sendspace.com	A (IP address)	IN (0x0001)
Mar 10, 2021 19:26:46.958883047 CET	192.168.2.5	8.8.8.8	0x9797	Standard query (0)	www.samtaxitours.com	A (IP address)	IN (0x0001)
Mar 10, 2021 19:27:07.336209059 CET	192.168.2.5	8.8.8.8	0xbc5e	Standard query (0)	alukoren.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 10, 2021 19:26:08.243592024 CET	8.8.8.8	192.168.2.5	0xc3be	No error (0)	www.sendspace.com		172.67.153.148	A (IP address)	IN (0x0001)
Mar 10, 2021 19:26:08.243592024 CET	8.8.8.8	192.168.2.5	0xc3be	No error (0)	www.sendspace.com		104.21.3.176	A (IP address)	IN (0x0001)
Mar 10, 2021 19:26:24.769932032 CET	8.8.8.8	192.168.2.5	0xfa14	No error (0)	fs03n1.sendspace.com		172.67.153.148	A (IP address)	IN (0x0001)
Mar 10, 2021 19:26:24.769932032 CET	8.8.8.8	192.168.2.5	0xfa14	No error (0)	fs03n1.sendspace.com		104.21.3.176	A (IP address)	IN (0x0001)
Mar 10, 2021 19:26:47.141330004 CET	8.8.8.8	192.168.2.5	0x9797	No error (0)	www.samtaxitours.com	samtaxitours.com		CNAME (Canonical name)	IN (0x0001)
Mar 10, 2021 19:26:47.141330004 CET	8.8.8.8	192.168.2.5	0x9797	No error (0)	samtaxitours.com		72.249.68.209	A (IP address)	IN (0x0001)
Mar 10, 2021 19:27:07.557770014 CET	8.8.8.8	192.168.2.5	0xbc5e	No error (0)	alukoren.duckdns.org		199.249.223.130	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Mar 10, 2021 19:26:08.369673967 CET	172.67.153.148	443	192.168.2.5	49708	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Mar 09 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Wed Mar 09 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Mar 10, 2021 19:26:08.369673967 CET	172.67.153.148	443	192.168.2.5	49708	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Mar 10, 2021 19:26:08.370703936 CET	172.67.153.148	443	192.168.2.5	49707	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Mar 09 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Wed Mar 09 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Mar 10, 2021 19:26:08.370703936 CET	172.67.153.148	443	192.168.2.5	49707	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Mar 10, 2021 19:26:25.012391090 CET	172.67.153.148	443	192.168.2.5	49709	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Mar 09 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Wed Mar 09 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Mar 10, 2021 19:26:25.012391090 CET	172.67.153.148	443	192.168.2.5	49709	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Mar 10, 2021 19:26:25.015137911 CET	172.67.153.148	443	192.168.2.5	49710	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Mar 09 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Wed Mar 09 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
Mar 10, 2021 19:26:25.015137911 CET	172.67.153.148	443	192.168.2.5	49710	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		9e10692f1b7f78228b2d4e424db3a98c
Mar 10, 2021 19:26:47.523634911 CET	72.249.68.209	443	192.168.2.5	49717	CN=*.samtaxitours.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 04 16:05:58 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Wed Jun 02 17:05:58 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Mar 10, 2021 19:26:47.523634911 CET	72.249.68.209	443	192.168.2.5	49717	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 4440 Parent PID: 792

General

Start time:	19:26:06
Start date:	10/03/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff6939f0000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 2076 Parent PID: 4440

General

Start time:	19:26:07
Start date:	10/03/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4440 CREDAT:17410 /prefetch:2
Imagebase:	0xf0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: unarchiver.exe PID: 6272 Parent PID: 4440

General

Start time:	19:26:41
Start date:	10/03/2021
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar'
Imagebase:	0x1d0000
File size:	10240 bytes
MD5 hash:	8B435F8731563566F3F49203BA277865
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: 7za.exe PID: 6316 Parent PID: 6272

General

Start time:	19:26:42
Start date:	10/03/2021
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\Rate_Confirmation _LOAD.pdf.rar'
Imagebase:	0x1b0000
File size:	289792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6324 Parent PID: 6316

General

Start time:	19:26:42
Start date:	10/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6400 Parent PID: 6272

General

Start time:	19:26:43
Start date:	10/03/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe'
Imagebase:	0xf60000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6408 Parent PID: 6400

General

Start time:	19:26:43
Start date:	10/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Rate_Confirmation #LOAD.pdf.exe PID: 6440 Parent PID: 6400

General

Start time:	19:26:44
Start date:	10/03/2021
Path:	C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\4q4rk4nb.rno\Rate_Confirmation #LOAD.pdf.exe
Imagebase:	0x400000
File size:	906592 bytes
MD5 hash:	BFCF046DBD2BE19BE45A02E319609060
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: DpiScaling.exe PID: 6360 Parent PID: 6440

General

Start time:	19:27:05
Start date:	10/03/2021
Path:	C:\Windows\SysWOW64\DpiScaling.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\DpiScaling.exe
Imagebase:	0xb90000
File size:	77312 bytes
MD5 hash:	302B1BBDBF4D96BEE99C6B45680CEB5E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.500238285.0000000010590000.00000040.00000001.sdmp, Author: Joe Security Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000019.00000002.500238285.0000000010590000.00000040.00000001.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: unarchiver.exe PID: 6272 Parent PID: 4440 unarchiver.exeCOMMON

Execution Graph

Execution Coverage:	21.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	71
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 04AC02A8, Relevance: 1.7, Strings: 1, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X1(r, xrefs: 04AC06DE

Memory Dump Source

Source File: 0000000E.00000002.357122816.0000000004AC0000.00000040.00000001.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4ac0000_unarchiver.jbxd

Similarity

API ID:
String ID: X1(r
API String ID: 0-3909273932
Opcode ID: 0898f7e13dcb36b1d4364fd3af6930f422f59ed92c8ca146c4060db50e18deb1
Instruction ID: fde69112188e8c5d6c058ece8529f26c9930db8b6e1778d2574875887445ea52
Opcode Fuzzy Hash: 0898f7e13dcb36b1d4364fd3af6930f422f59ed92c8ca146c4060db50e18deb1
Instruction Fuzzy Hash: FF220674E14619CFDB14EFA9D984B9DBBB2FF89301F1086A9E809A7354DB309981DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0099B042, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0099B074

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 5fcdfc3b5cd54495b407a45dba56a5591e16950a1cb30e818ad0308126c06ae8
Instruction ID: b445a111eab5198628156d4907a036c18b906eb1dfd5f56eac89ed672f87a2ff
Opcode Fuzzy Hash: 5fcdfc3b5cd54495b407a45dba56a5591e16950a1cb30e818ad0308126c06ae8
Instruction Fuzzy Hash: 7801AD758002449FDB10CF29E988766FFA4EF44321F18C8AADD588F246D379A408CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0099B0B2, Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0099B15F

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 28b05c522ab1780082ab6c34fcd7a38f8bcfa277713a927db63c281b013e5b80
Instruction ID: c6420b63e0a3ab077bc72d238531de1fc9d75de4ad0be1fe74192e851f51933d
Opcode Fuzzy Hash: 28b05c522ab1780082ab6c34fcd7a38f8bcfa277713a927db63c281b013e5b80
Instruction Fuzzy Hash: CD31A4725043446FEB228F65DC44FA6BFBCEF05310F0888AAF985CB152D724A919DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0099AB70, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0099AC13

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 76839c29411ceed9bb93c453f02573f558a4af2506051378e60703df1785277c
Instruction ID: dd0705d01a9e77702bbcedacfc943900846475c0b307d90f23da22ecd1ab9cdf
Opcode Fuzzy Hash: 76839c29411ceed9bb93c453f02573f558a4af2506051378e60703df1785277c
Instruction Fuzzy Hash: DC31C4725043446FEB228B65DC84FA7BFECEF05320F0488AAF985CB152D234A819DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0099A504, Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0099A5A9

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ee4954bd29c3503ee681368714b01b72319235d6cf3ad0804d1aa50b54208c00
Instruction ID: 5c351bc7d1ac98aebd1656d8a748d29a921ca0a7ecaa1438c5d938e727ea8063
Opcode Fuzzy Hash: ee4954bd29c3503ee681368714b01b72319235d6cf3ad0804d1aa50b54208c00
Instruction Fuzzy Hash: 01314171505780AFEB22CF69DC44B66BFE8EF05310F0884AAE9859B252D375E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0099A120, Relevance: 1.6, APIs: 1, Instructions: 85
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 0099A1C2

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 4167b1895500b9c88f91e4f59d2c0fe652e34f6769cae1ea3c8a0ca492c83378
Instruction ID: 2718be6a897485a65fdac82ffe54af9ae98069aeb25af53eaaa4d17557794c3f
Opcode Fuzzy Hash: 4167b1895500b9c88f91e4f59d2c0fe652e34f6769cae1ea3c8a0ca492c83378
Instruction Fuzzy Hash: A331D27240D3C06FD7138B368C55BA2BFB4EF47610F0985DBD8848F593D225A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0099AB96, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0099AC13

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 39630e5c3da42744f0c852f644d44c925d63468d2af45aba53321adaa64da25b
Instruction ID: 3c02364790693d912a852378cb9269943c9eaf5f5475321ad2789b745346d4b8
Opcode Fuzzy Hash: 39630e5c3da42744f0c852f644d44c925d63468d2af45aba53321adaa64da25b
Instruction Fuzzy Hash: 5E21A472500204AFEB21DF69DC84F6AFBECEF14310F14886AEE859B151D674E5149BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0099B0E2, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0099B15F

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 62dd83ac8e2a9f529f5b4f431d7d6248c62b65bbf1e8a196056ff6d748325861
Instruction ID: e4c645d1d1ea1c894f1a6488112bb1c40ccba0734a50e77e15e44eaaba2dba1c
Opcode Fuzzy Hash: 62dd83ac8e2a9f529f5b4f431d7d6248c62b65bbf1e8a196056ff6d748325861
Instruction Fuzzy Hash: C421C172504204AFEB219F69DC84FAAFBECEF04310F14886AEE45CB151D774E4089B71

Uniqueness

Uniqueness Score: -1.00%

Function 0099A77C, Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E2C,3AA22D34,00000000,00000000,00000000,00000000), ref: 0099A80A

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 6ddf8f1e6ff8c8041502fc6b3a2af9360d51ab99acddbd92f1fa60bdffa94549
Instruction ID: a0b6a97bde417324d3760beeee3b9dd5af68b363e6e43212bf81941cf7878457
Opcode Fuzzy Hash: 6ddf8f1e6ff8c8041502fc6b3a2af9360d51ab99acddbd92f1fa60bdffa94549
Instruction Fuzzy Hash: BC21A4714093806FEB128B65DC80F66BFB8EF46710F0884EAED849F153D264A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0099A85F, Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,00000E2C,3AA22D34,00000000,00000000,00000000,00000000), ref: 0099A8ED

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b4ea707cc2311828d2aa9ff599b25993e3d87c92e1152b0d357c61185b019fad
Instruction ID: 811517cc5ce8bf1c333d78ca8c3606f36f70db056eacf00781032bc20c33903c
Opcode Fuzzy Hash: b4ea707cc2311828d2aa9ff599b25993e3d87c92e1152b0d357c61185b019fad
Instruction Fuzzy Hash: 99215171409384AFDB228F65DC85F96BFB8EF46310F08849AEA849F152D265A409CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0099AA13, Relevance: 1.6, APIs: 1, Instructions: 76
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 0099AAA2

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 033f319780e2e4872cb2677920e6dac338e6b41bafe76b88c6e0470835fa6b6a
Instruction ID: 136cbb90670db8f3c906228df6140f16032d6615639411c8d6c844defd22d1ba
Opcode Fuzzy Hash: 033f319780e2e4872cb2677920e6dac338e6b41bafe76b88c6e0470835fa6b6a
Instruction Fuzzy Hash: 8021D0715093806FD7129B25CC45F66BFB8EB96620F08849BEC448B253D225A808CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0099A52A, Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0099A5A9

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ded75a4f897ead8e6564714f0d91048b53065bd12d12437e81f7c7d1827e35e
Instruction ID: f48b4f75fe0ce986b6a9a0a1a59301b82581ca43a5adf8b200e62a64480ffe37
Opcode Fuzzy Hash: 2ded75a4f897ead8e6564714f0d91048b53065bd12d12437e81f7c7d1827e35e
Instruction Fuzzy Hash: 2A219271600740AFEB21DF69DC44B6AFBE8EF08310F148869F9458B251D775E404CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0099A6BB, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E2C,3AA22D34,00000000,00000000,00000000,00000000), ref: 0099A741

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 03cb3111658757cb3604df924cdd21c8f98c6af11e2dd91e2bfb4ea6ed917740
Instruction ID: 809e4d70841dfe6654fb00c740b2c24673c22ee817138c17927c023e3c1f474e
Opcode Fuzzy Hash: 03cb3111658757cb3604df924cdd21c8f98c6af11e2dd91e2bfb4ea6ed917740
Instruction Fuzzy Hash: C62105B54083806FE7128B65DC81BA2BFBCEF46310F0880DBEE848F153D264A909D772

Uniqueness

Uniqueness Score: -1.00%

Function 0099A600, Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0099A674

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6e253f2494a3e03e2bf032a0b9cc0b3534124c0945f9ba73b07d36c60ab21c3b
Instruction ID: 4cd6c4e4d09241c42d90ee55f547dbb663d3bcf452e118c84daff95a76e91eb4
Opcode Fuzzy Hash: 6e253f2494a3e03e2bf032a0b9cc0b3534124c0945f9ba73b07d36c60ab21c3b
Instruction Fuzzy Hash: 7821907550D7C49FDB138B29DC55692BFB4EF12220F0980EBDC858F163D268A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0099A448, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0099A4AF

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 6c6677b73379cded1d1234b7307c6b9c3a20b6311a2b4565665e1e989c15e5c5
Instruction ID: aec3f4f1107aa1a99bcb44b4f4e3e57faf5c10b534aa1cb81e8a8b03c2bb94da
Opcode Fuzzy Hash: 6c6677b73379cded1d1234b7307c6b9c3a20b6311a2b4565665e1e989c15e5c5
Instruction Fuzzy Hash: C71184715053849FDB11CF29DC45B56BFE8EF56220F0984AAED45CF252D274E808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0099A88E, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,00000E2C,3AA22D34,00000000,00000000,00000000,00000000), ref: 0099A8ED

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 8302e59e3398e8efd3b0c4c9f369b1131458b5dff065b5dbaf49bef81a5ea06e
Instruction ID: b88a20cd35f87ea8055d74eae1fd836db5dd82c6b84ff068daf112957c02673d
Opcode Fuzzy Hash: 8302e59e3398e8efd3b0c4c9f369b1131458b5dff065b5dbaf49bef81a5ea06e
Instruction Fuzzy Hash: D311A771500204AFEB21DF59DC84F9AFBA8EF54710F14886AEE459B151D774A404DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0099A7AE, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E2C,3AA22D34,00000000,00000000,00000000,00000000), ref: 0099A80A

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 24954cd2c4f162ac77137843396507751daef1ffbff5d25274f16cca12a746d6
Instruction ID: 1dde00ca66dcc019c8f5aa1ab87472f23941b9032c5bdab07da222787508eb07
Opcode Fuzzy Hash: 24954cd2c4f162ac77137843396507751daef1ffbff5d25274f16cca12a746d6
Instruction Fuzzy Hash: D511A7B1500204AFEB21DF59DC84FA6FBA8EF44710F14C86AEE459B151D774A405CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0099A1F4, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0099A290

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: f16569433b1a67ce9106f66298049ed472f62eda0479aadbae4e463611fce5af
Instruction ID: 669ceef5bc318b278a95b39ba4ab38cba39a4d867db0339833faaec7ca310a32
Opcode Fuzzy Hash: f16569433b1a67ce9106f66298049ed472f62eda0479aadbae4e463611fce5af
Instruction Fuzzy Hash: 3D11E93550D3C48FDB528B25D854754BF70EF17320F1E84DBC9888F2A3C26A9949DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0099B020, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0099B074

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 61d719b559816ce858234b599cbe1c41d4aa6bc9627ee770e438ab20d3ab9da9
Instruction ID: 85776d6fbbf3bee304c92257326a8fd68d7d8c5de64b54db3cd5f14cdbe6e3d7
Opcode Fuzzy Hash: 61d719b559816ce858234b599cbe1c41d4aa6bc9627ee770e438ab20d3ab9da9
Instruction Fuzzy Hash: 0F115E754093849FDB128F25DC44B56BFA8DF56220F0884EAED848F252D279A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0099ADF7, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0099AE50

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: ddba0b4e89dd201130f246d18ca93d6a6211f9688f2ae85d86937a5c55a6f2cc
Instruction ID: fecd02018ffa89e3e49f3fe62adc996b93a5c8078c9af8d79ae8df556a1d69d1
Opcode Fuzzy Hash: ddba0b4e89dd201130f246d18ca93d6a6211f9688f2ae85d86937a5c55a6f2cc
Instruction Fuzzy Hash: EA11A3715093849FDB128B29DC45A52FFB8EF06220F0984DBED858B262C274A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0099A46A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0099A4AF

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: b4eadc379376bafed7edbf2a3623e6e77b93b93b5be36218ea01da15fff529fc
Instruction ID: b0550d972d15f89a0ae2d41ea66fa7cc204fcec41b386ff6ed8166f93e3281eb
Opcode Fuzzy Hash: b4eadc379376bafed7edbf2a3623e6e77b93b93b5be36218ea01da15fff529fc
Instruction Fuzzy Hash: D71165756012448FDF10CF2AD889756FBE8EF44721F18C4AADD49CB652D274E804CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0099A6EE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,3AA22D34,00000000,00000000,00000000,00000000), ref: 0099A741

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 5ed4679a2745cd2e60d9cd3fd23b211a96280cb11aae99f3e6bee92a22356617
Instruction ID: 2750c8dab308004ec1b8450fe8f373cb60a4b05725c765ec7242bc42208be621
Opcode Fuzzy Hash: 5ed4679a2745cd2e60d9cd3fd23b211a96280cb11aae99f3e6bee92a22356617
Instruction Fuzzy Hash: B001B971904304AFEB20DB59DC85F66FBACDF44720F14C496EE459B241D678A504CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0099A23C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0099A290

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5ce359581644353d94fae5a2b5df02bc7f84a63b07b2ca8d5b2af1fa80adb383
Instruction ID: 7f958e7c0e082357785f24c3ec5cdf375723290202950440eb777635d2bc9a0f
Opcode Fuzzy Hash: 5ce359581644353d94fae5a2b5df02bc7f84a63b07b2ca8d5b2af1fa80adb383
Instruction Fuzzy Hash: 9C118471409384AFDB228B15DC44B62FFB8DF56624F0880DBED858F253D275A908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0099AA52, Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 0099AAA2

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 1d00cef58f56be72bb0155bf9f471383f8141510b0f00385ecd0c3a005daeaa2
Instruction ID: 8dcdbac5f7a54447c2c7d04550c29514a154fcdab38bd16dd2f1da71fe2640d9
Opcode Fuzzy Hash: 1d00cef58f56be72bb0155bf9f471383f8141510b0f00385ecd0c3a005daeaa2
Instruction Fuzzy Hash: 0601B172900200ABD314DF1ADC85B66FBE8FB98B20F14856AED088B645E635F515CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0099A172, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 0099A1C2

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: a3048dfae8e08d1a03111ea3e863049bbf39518005efabe23543248cdb5cb1f7
Instruction ID: 07ba447d0b8b6652278aab884516336be450639c468393e6b6381b5ec423b78d
Opcode Fuzzy Hash: a3048dfae8e08d1a03111ea3e863049bbf39518005efabe23543248cdb5cb1f7
Instruction Fuzzy Hash: 9901B172900200ABD714DF1ADC85B66FBE8FB88A20F14856AED088B645E635F515CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0099A642, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0099A674

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: cd25b0d92e33336aff71841437c6138cbafff9f35c0268fb7b137ca9895a9d44
Instruction ID: 107de242241839a443bd6a38ff8ff913c711c1eb69eabe03179d5ca40db82400
Opcode Fuzzy Hash: cd25b0d92e33336aff71841437c6138cbafff9f35c0268fb7b137ca9895a9d44
Instruction Fuzzy Hash: B901A2759042449FDB10CF29D8847A6FFA8EF44321F1CC4ABDD498F242D278A408CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0099AE1E, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 0099AE50

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 81fb9eb8a8010f250b52b37f974045cb8ab65c24d7955fc0b8cd810eee3feb25
Instruction ID: 52781d8d0fb2d26d5d6e963fbff8a0d48fd89fe244ffb2a1ce43b9819c94d6e0
Opcode Fuzzy Hash: 81fb9eb8a8010f250b52b37f974045cb8ab65c24d7955fc0b8cd810eee3feb25
Instruction Fuzzy Hash: 850181755002458FEB108F59E885765FFA8EF44720F18C4AADD498B652D279A848CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0099A25E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0099A290

Memory Dump Source

Source File: 0000000E.00000002.355232203.000000000099A000.00000040.00000001.sdmp, Offset: 0099A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_99a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8ddd6fe47973221aadd277a1dfb20855758ffb7dbc7a869f8779d7cf9432b8e8
Instruction ID: 345eb093126461f4be32877dbefdf8e8b1886f64748542cd60641b3a474d1864
Opcode Fuzzy Hash: 8ddd6fe47973221aadd277a1dfb20855758ffb7dbc7a869f8779d7cf9432b8e8
Instruction Fuzzy Hash: F8F0C2758046448FEB20CF19D884769FFA4EF49721F18C49ADD594B352D27AA408CEE2

Uniqueness

Uniqueness Score: -1.00%

Function 009A086F, Relevance: 1.0, Instructions: 964COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.355238042.00000000009A0000.00000040.00000040.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6d645560817cacca0966ad75fa3f2a3bb3c66e47ef4483518b1968e428ef69
Instruction ID: eee8de9cb7ff875a6f48bd0297cf80aa372c7e6dccff6a289957ec20fa97fec0
Opcode Fuzzy Hash: bb6d645560817cacca0966ad75fa3f2a3bb3c66e47ef4483518b1968e428ef69
Instruction Fuzzy Hash: 5A11E26254E2800FD70387286C560A5BFE4DE83335B1886FBD888CF253E11A995A87E7

Uniqueness

Uniqueness Score: -1.00%

Function 04AC0C18, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.357122816.0000000004AC0000.00000040.00000001.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4ac0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4857be8a2c2c44495d2793cba0e6292149587d2fe151f76fb717069c9ac56ca
Instruction ID: 4bf769e89978e49269bb4aae10a11a94e6c086d2d6a065f0afd339b46543d89f
Opcode Fuzzy Hash: a4857be8a2c2c44495d2793cba0e6292149587d2fe151f76fb717069c9ac56ca
Instruction Fuzzy Hash: 63513774E42208DFDB18DFB5D490AAEBBB2FF8A315F209429E405B7350DB35A842CB54

Uniqueness

Uniqueness Score: -1.00%

Function 04AC0AAF, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.357122816.0000000004AC0000.00000040.00000001.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4ac0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087a8581046578913a102ac3eebecc9bd7ce8c956bd4a9d34ed1e9772403db7f
Instruction ID: d7c2606f92dfe91bfc920f0170ecfd4aae6be6ff7e36f71197e7c3ff5c36f4cc
Opcode Fuzzy Hash: 087a8581046578913a102ac3eebecc9bd7ce8c956bd4a9d34ed1e9772403db7f
Instruction Fuzzy Hash: 84215575D05109CFCB00DFA5E9486EEBBB2EF89305F20856AD811B7254EB70A946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04AC0AC0, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.357122816.0000000004AC0000.00000040.00000001.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4ac0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bdc2976f00b3dec0a16cf29aa83571a890d282908e173dc4d5c84f1ce4d53b6
Instruction ID: 94b8cb5e806cef87011e0c4c9c05d0a9c923691084150e6956cc1d8dc195be64
Opcode Fuzzy Hash: 2bdc2976f00b3dec0a16cf29aa83571a890d282908e173dc4d5c84f1ce4d53b6
Instruction Fuzzy Hash: 02216835D04109CFCB00EFA5D9446EEBBB6FB88305F10852AD410B3254EB70A905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 009A05C0, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.355238042.00000000009A0000.00000040.00000040.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c0720981f2eba5fcb5714662295dbe56e9a1346dc9c9fe114e8dfb005427b6
Instruction ID: 108a3a167d89c3f026be9c7d3b7339fa811333317e50fe303a21028157b38032
Opcode Fuzzy Hash: 53c0720981f2eba5fcb5714662295dbe56e9a1346dc9c9fe114e8dfb005427b6
Instruction Fuzzy Hash: 6501A7765093405FD3158F16EC41893BBE8EB86330719849BEC49CB252D125B908CFB5

Uniqueness

Uniqueness Score: -1.00%

Function 009A05B0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.355238042.00000000009A0000.00000040.00000040.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f59a26ee2ce852dd4f2f69a400f2b93c6209f90a548e28c3db510e12be2767
Instruction ID: 125b28cd6491b70f686788742d10533c8e5665d03a0965432cfaba0b52488db0
Opcode Fuzzy Hash: 14f59a26ee2ce852dd4f2f69a400f2b93c6209f90a548e28c3db510e12be2767
Instruction Fuzzy Hash: 1AF086765093845FD7118F16EC41862FFA8EB86620749C4ABED498B652D125B808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 009A05D0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.355238042.00000000009A0000.00000040.00000040.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915538dfba54764207161a05a91b4fccc4b45e13d7113d2ceaf6879a82edb0db
Instruction ID: c73e182ed1411b766f7b8b7305cfd84a062bb544539d8cbd41b628f87f2e74d7
Opcode Fuzzy Hash: 915538dfba54764207161a05a91b4fccc4b45e13d7113d2ceaf6879a82edb0db
Instruction Fuzzy Hash: D30186B65097846FD7128F16EC41862FFB8DF86620709C8DFEC498B612D225A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 009A080C, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.355238042.00000000009A0000.00000040.00000040.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8860ae3d9abd220eea89be390f8664665756e9ce874ea964963a55d760c183
Instruction ID: 710c59514bd818c2980b89ca62d39a2791e61100269a6f59c8ce876a1e00b804
Opcode Fuzzy Hash: 2f8860ae3d9abd220eea89be390f8664665756e9ce874ea964963a55d760c183
Instruction Fuzzy Hash: 77F062B25056047FD210DE09EC41CA7FBECEF95621B04C92EFD499B200E276B9188AF2

Uniqueness

Uniqueness Score: -1.00%

Function 04AC0E20, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.357122816.0000000004AC0000.00000040.00000001.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4ac0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8385c57ca29883e5b0829322bdb64c0cdda0b0a91db5efa057a3b6381132353a
Instruction ID: b0ee6e17e3ab605adcb8aa680c86d6b847c312eb880f831e06bad09a73e4a1e6
Opcode Fuzzy Hash: 8385c57ca29883e5b0829322bdb64c0cdda0b0a91db5efa057a3b6381132353a
Instruction Fuzzy Hash: 3B012270C4625ADFCB14EFB8C4447AEBBB1AF06315F2099AEC401A3280C7789A80CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04AC0E30, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.357122816.0000000004AC0000.00000040.00000001.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4ac0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8abcdf81d74ec392404b1bbe5050fd5e7067177f7c502e76513d0d4e1ed27e
Instruction ID: d06ab15ba082f31aee5c1f00b53d963e72d6ac185753f995d33eccffe9a6d7ca
Opcode Fuzzy Hash: cc8abcdf81d74ec392404b1bbe5050fd5e7067177f7c502e76513d0d4e1ed27e
Instruction Fuzzy Hash: 4A01EF70C4620ADFCB04EFA4C5457AEBBB1BB45305F6099ADC40573380DB79AA80CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04AC0BA7, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.357122816.0000000004AC0000.00000040.00000001.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4ac0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea25f105c5e5a5f33f491c5e33c0814c035451b910b37df41223f0ea6e7b34e9
Instruction ID: 370c1bc9ca4492d93cd6bcff5aca6971b45de95b62eabda5d5684523546c36f6
Opcode Fuzzy Hash: ea25f105c5e5a5f33f491c5e33c0814c035451b910b37df41223f0ea6e7b34e9
Instruction Fuzzy Hash: 7201F6B4D09249DFCF44DFA9C9456AEBFB1EF55300F2085AAC409B7241E6346A01CF55

Uniqueness

Uniqueness Score: -1.00%

Function 009A081E, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.355238042.00000000009A0000.00000040.00000040.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f593aa9d81ec918aa578232ee8e63a9954032eb30607d817780f3865a032ba73
Instruction ID: 6e12cb44c8f202486f3fb3761d0c077ece2b37690b370c5d05747f3755413660
Opcode Fuzzy Hash: f593aa9d81ec918aa578232ee8e63a9954032eb30607d817780f3865a032ba73
Instruction Fuzzy Hash: 1AF0A7B28056046FD200DF09EC41896F7ECDF94621F14C56FED088B300E676B9144EF2

Uniqueness

Uniqueness Score: -1.00%

Function 009A05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.355238042.00000000009A0000.00000040.00000040.sdmp, Offset: 009A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_9a0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1472d0c23cea2490203615a6708ea38d3b71f30e07f909cb7ab0e41f4cb9099
Instruction ID: 947e47a37eccbc32310dde8349f6e41ce5bbe4416a73bac2c41375351ca00c2e
Opcode Fuzzy Hash: d1472d0c23cea2490203615a6708ea38d3b71f30e07f909cb7ab0e41f4cb9099
Instruction Fuzzy Hash: 8AE092B66007044BD654CF0AEC81452F7D8EB88630718C47FDC0D8B701D139B508CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 009923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.355225984.0000000000992000.00000040.00000001.sdmp, Offset: 00992000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_992000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c015f2c0dd824ad8228986bb0238c17c93fb52fe1e992d181cfb7a12b2c23f6
Instruction ID: ea7d45e370c45c976a5eae096c383a63216070e8237b4939eaebabe561b7e48e
Opcode Fuzzy Hash: 1c015f2c0dd824ad8228986bb0238c17c93fb52fe1e992d181cfb7a12b2c23f6
Instruction Fuzzy Hash: BDD05E79209A815FD7268B1CC1A8B953B98EF61B04F4644F9E8008B673C368D9C1D200

Uniqueness

Uniqueness Score: -1.00%

Function 009923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.355225984.0000000000992000.00000040.00000001.sdmp, Offset: 00992000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_992000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c306588d81552df4ebc73ffb3f4932be51ea05c15613b6236996f88a4fd4a58
Instruction ID: 858b1cdfd0fb7e613c44e801a9916514234ee17bcf768c870f6e929fb84c937a
Opcode Fuzzy Hash: 5c306588d81552df4ebc73ffb3f4932be51ea05c15613b6236996f88a4fd4a58
Instruction Fuzzy Hash: 88D05E342012814BCB15DB1CC195F5937D8AB41B00F0644E8AC008B262C3A8EC81C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04AC0299, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.357122816.0000000004AC0000.00000040.00000001.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4ac0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad515c3e3bb072ab806259be37b9848eea565eed86084b1d06708a9dc74ba54
Instruction ID: 3c0dc470b1622c0e52d9d09ad75b26b931d461d90e88f6ca4554d209e927d463
Opcode Fuzzy Hash: dad515c3e3bb072ab806259be37b9848eea565eed86084b1d06708a9dc74ba54
Instruction Fuzzy Hash: 89810974D14605DFDB14EFA9E844A9DBBB3FF89301F10C6A9E809A7268EB305946DF10

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: DpiScaling.exe PID: 6360 Parent PID: 6440 DpiScaling.exeCOMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	99.2%
Signature Coverage:	11.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	136

Executed Functions

Function 0040D325, Relevance: 77.1, APIs: 26, Strings: 18, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,0046B570,aqyuio-EG6HAK,00000001,0040C963), ref: 0040D338
GetProcAddress.KERNEL32(00000000), ref: 0040D341
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA), ref: 0040D35C
GetProcAddress.KERNEL32(00000000), ref: 0040D35F
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW), ref: 0040D370
GetProcAddress.KERNEL32(00000000), ref: 0040D373
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW), ref: 0040D38D
GetProcAddress.KERNEL32(00000000), ref: 0040D390
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 0040D3A1
GetProcAddress.KERNEL32(00000000), ref: 0040D3A4
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040D3B5
GetProcAddress.KERNEL32(00000000), ref: 0040D3B8
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW), ref: 0040D3C9
GetProcAddress.KERNEL32(00000000), ref: 0040D3CC
GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin), ref: 0040D3DD
GetProcAddress.KERNEL32(00000000), ref: 0040D3E0
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy), ref: 0040D3F1
GetProcAddress.KERNEL32(00000000), ref: 0040D3F4
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW), ref: 0040D405
GetProcAddress.KERNEL32(00000000), ref: 0040D408
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors), ref: 0040D419
GetProcAddress.KERNEL32(00000000), ref: 0040D41C
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW), ref: 0040D42D
GetProcAddress.KERNEL32(00000000), ref: 0040D430
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C), ref: 0040D43E
GetProcAddress.KERNEL32(00000000), ref: 0040D441

Strings

kernel32.dll, xrefs: 0040D39C
GetModuleFileNameExW, xrefs: 0040D366, 0040D383
EnumDisplayMonitors, xrefs: 0040D40A
GetModuleFileNameExA, xrefs: 0040D32E, 0040D352
GetMonitorInfoW, xrefs: 0040D41E
IsUserAnAdmin, xrefs: 0040D3CE
EnumDisplayDevicesW, xrefs: 0040D3F6
GetComputerNameExW, xrefs: 0040D3BA
user32, xrefs: 0040D3FB, 0040D40F, 0040D423
IsWow64Process, xrefs: 0040D3A6
Psapi.dll, xrefs: 0040D333, 0040D36B
GlobalMemoryStatusEx, xrefs: 0040D397
SetProcessDEPPolicy, xrefs: 0040D3E2
Shell32, xrefs: 0040D3D3
Kernel32.dll, xrefs: 0040D357, 0040D388
Shlwapi.dll, xrefs: 0040D434
kernel32, xrefs: 0040D3AB, 0040D3BF, 0040D3E7
aqyuio-EG6HAK, xrefs: 0040D32C

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$Psapi.dll$SetProcessDEPPolicy$Shell32$Shlwapi.dll$aqyuio-EG6HAK$kernel32$kernel32.dll$user32
API String ID: 551388010-2259639946
Opcode ID: 74fc633e5fcbd5ac73a213ec62fb85bea75a90e755ff98c6f769d39eb169cdb1
Instruction ID: c75e32171d5730ddb7a7db99e84bf82c9085a648398e1f70354b2248800a27cb
Opcode Fuzzy Hash: 74fc633e5fcbd5ac73a213ec62fb85bea75a90e755ff98c6f769d39eb169cdb1
Instruction Fuzzy Hash: 0421F9A1E8075C75DA206FB59C0EE0B2E589A85B573600837F900A3593FAFC841CCE6F

Uniqueness

Uniqueness Score: -1.00%

Function 00414CCB, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrToIntA.SHLWAPI(00000000,00000002,00000001,00000000,?,00000001,000000FF,00000000), ref: 00414D1F
mouse_event.USER32 ref: 00414EC1

Part of subcall function 00414B65: GetSystemMetrics.USER32 ref: 00414B9A
Part of subcall function 00414B65: GetSystemMetrics.USER32 ref: 00414BAF

Part of subcall function 00414F97: SendInput.USER32(00000001,?,0000001C,?,00000000,?,00000001,000000FF,00000000), ref: 00414FC3

Strings

0, xrefs: 00414CF5
2, xrefs: 00414D96
3, xrefs: 00414DF6
5, xrefs: 00414EA8
4, xrefs: 00414E57
6, xrefs: 00414EB2
1, xrefs: 00414D37

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: MetricsSystem$InputSendmouse_event
String ID: 0$1$2$3$4$5$6
API String ID: 1731092567-2737206560
Opcode ID: 330588d82e347c94020ec06dd5f808e16b6b7c1580786b0099b19a451629587a
Instruction ID: e88c964e6856b39238ad1575c4c73992f386484ca69b7d926d55659172879567
Opcode Fuzzy Hash: 330588d82e347c94020ec06dd5f808e16b6b7c1580786b0099b19a451629587a
Instruction Fuzzy Hash: 5451BF709083029FC714EF20D851B9B77A4EF85750F10442FF9926B2D1EB789949CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004120F3, Relevance: 11.0, APIs: 7, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?), ref: 00412115
GetTickCount.KERNEL32 ref: 004121A3

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID:
API String ID: 180926312-0
Opcode ID: 1ec4b6f4736e2f5d0eb20c177b4159fb9932a85187cd197e175448b0445da835
Instruction ID: 10c5b134f1e5d4c12084a7ac8715458b4ffdea000665c14eb308d53ab04379e6
Opcode Fuzzy Hash: 1ec4b6f4736e2f5d0eb20c177b4159fb9932a85187cd197e175448b0445da835
Instruction Fuzzy Hash: B2F1A2716043019AC614FB72DD57AEE73A4AB81308F40083FF546A71E3EE7C9A49879B

Uniqueness

Uniqueness Score: -1.00%

Function 00404E50, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 96
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(00000001,0046B230,0046B760,00000000,?,?,?,?,?,?,?,?,?,?,?,004122FB), ref: 00404E88
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046B230,0046B760,00000000), ref: 00404F3B
CreateThread.KERNELBASE(00000000,00000000,Function_00005140,?,00000000,00000000), ref: 00404F4E

Strings

Connection KeepAlive enabled, xrefs: 00404EAA
Connection KeepAlive timeout: %i, xrefs: 00404EF8
%02i:%02i:%02i:%03i [Info] , xrefs: 00404E9A, 00404EAF, 00404EFD

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: %02i:%02i:%02i:%03i [Info] $Connection KeepAlive enabled$Connection KeepAlive timeout: %i
API String ID: 2532271599-119634454
Opcode ID: 68a019bd6ac8e4bb09b92565479374c56cb3f6591434e4ff8a57615aabaa2e92
Instruction ID: 63319bf4d6645e0eb0afd984e4cbdee73e080338318c565c68f350d6ac232046
Opcode Fuzzy Hash: 68a019bd6ac8e4bb09b92565479374c56cb3f6591434e4ff8a57615aabaa2e92
Instruction Fuzzy Hash: AD3154B1900254B9CB14ABA68C09EFFBBBCAB95705F00006FF541B21D2EB7C9945D775

Uniqueness

Uniqueness Score: -1.00%

Function 0040D6F4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004105BC: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004105DC
Part of subcall function 004105BC: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046B510), ref: 004105FA
Part of subcall function 004105BC: RegCloseKey.KERNELBASE(?), ref: 00410605

Sleep.KERNELBASE(00000BB8), ref: 0040D7A8
ExitProcess.KERNEL32 ref: 0040D81D

Strings

pth_unenc, xrefs: 0040D74D, 0040D7C0
override, xrefs: 0040D713
3.1.2 Pro, xrefs: 0040D783, 0040D7F6

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 3.1.2 Pro$override$pth_unenc
API String ID: 2281282204-3597056104
Opcode ID: 53f04d403571ea2ac1608c22710508b2aed1ceba2272a689f4176caf93d93de1
Instruction ID: 9a81d0240d99662c9fb8c3d1778799d6bbac3891116b35864bfe70ebd33962d3
Opcode Fuzzy Hash: 53f04d403571ea2ac1608c22710508b2aed1ceba2272a689f4176caf93d93de1
Instruction Fuzzy Hash: 5221B131B4030067D60876B68C5BAAE31559B81708F50043FB816B72E3EEBD998A87DF

Uniqueness

Uniqueness Score: -1.00%

Function 0042DF59, Relevance: 4.5, APIs: 3, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000000,?,0042DC12,00000034,00000000,00000200,?), ref: 0042DF6E
CryptGenRandom.ADVAPI32(00000000,00000200,?,?,0042DC12,00000034,00000000,00000200,?), ref: 0042DF83
CryptReleaseContext.ADVAPI32(00000000,00000000,?,0042DC12,00000034,00000000,00000200,?), ref: 0042DF95

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 5319e8526ca9981c8c78e74b69d2b420cba3710fdbf78039c81efc3cd1e0f248
Instruction ID: abbd67c51956f5bdb7a45edd59a5edea919aca2e04d2d48f71862602134bd08a
Opcode Fuzzy Hash: 5319e8526ca9981c8c78e74b69d2b420cba3710fdbf78039c81efc3cd1e0f248
Instruction Fuzzy Hash: 68F0653270C320BEFB300E25BD04F973B58DB82B65FA10136F20AD40E4D6A29400D55C

Uniqueness

Uniqueness Score: -1.00%

Function 1059109B, Relevance: 3.4, APIs: 2, Instructions: 381memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,00003000,00000040,?,?,?,?,00000000,?,?,?,00000000), ref: 10591267
LoadLibraryA.KERNELBASE(00079038,?,?,00000000,?,?,?,00000000,?,?,?,00007463,?,?,?,00000000), ref: 105913BE

Memory Dump Source

Source File: 00000019.00000002.500238285.0000000010590000.00000040.00000001.sdmp, Offset: 10590000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_10590000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 003ea7f4a64e86fc2e09bd141fddb360db5cf2df6f081e04d7ef2cb8935a30f2
Instruction ID: b8cdb13a973d25ee558c39d9e13bb9264a030001fa0484412dae19f0a43e4948
Opcode Fuzzy Hash: 003ea7f4a64e86fc2e09bd141fddb360db5cf2df6f081e04d7ef2cb8935a30f2
Instruction Fuzzy Hash: 4AD1B071A00225AFDB14CF69CC84B9EBBB6FF84350F25C56DE809AB655DB30AD01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00416A5B, Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,?,0046B570), ref: 00416A78
GetUserNameW.ADVAPI32(?,00000014), ref: 00416A90

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: 487b130986d8d65ceb33f8ed124e19d67cf0a7212f7d5d8fa9b3e414445a0ac9
Instruction ID: 58854747d466710df5c02b9097637897b371f9338986f2c3849f88f4f15bd3d5
Opcode Fuzzy Hash: 487b130986d8d65ceb33f8ed124e19d67cf0a7212f7d5d8fa9b3e414445a0ac9
Instruction Fuzzy Hash: C6011D7290011CABCB14EBD1DC45ADEB77CEF84305F10016BF905B31A5EEB46B898BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404B18, Relevance: 1.5, APIs: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(FFFFFFFF,0046AACC,?,00000000), ref: 00404B3F

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: c8069c2358ae33e4d3e95bbebe172d4db5033c00d08d929c54d852ebf1b39f53
Instruction ID: 822fd04aab6c8f79eb15d658420fb516407e027e7239d9e5ab2324ad1b441008
Opcode Fuzzy Hash: c8069c2358ae33e4d3e95bbebe172d4db5033c00d08d929c54d852ebf1b39f53
Instruction Fuzzy Hash: 11E08676004108BFDB065F50DD06F957F25DB45321F20815FF6040D1A1E673E492DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00408667, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 0040866C

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: KeyboardLayout
String ID:
API String ID: 194098044-0
Opcode ID: d744dc9e4d087d506e521249fc77391539e469dcc9cfa59ae4c5fd823a0bf1ea
Instruction ID: 8d58369ea1741f7fb26af0b58c54a4bcb4b1ac9c0c93ac9570cac8408da50682
Opcode Fuzzy Hash: d744dc9e4d087d506e521249fc77391539e469dcc9cfa59ae4c5fd823a0bf1ea
Instruction Fuzzy Hash: 96D02333A407301ED33451147D057911540D790721F86447FFDC44A0D4C8F98483014C

Uniqueness

Uniqueness Score: -1.00%

Function 0042F22B, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0002F237,0042EF1A), ref: 0042F230

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cae7992ed1f1edd2c932f77e283c29aa5cb70a78727c464502b2d2c5fb121cf6
Instruction ID: 25aedeffd6300f135add581ef8e64f3d174b109b912f661d9a2f71b8656ea8d7
Opcode Fuzzy Hash: cae7992ed1f1edd2c932f77e283c29aa5cb70a78727c464502b2d2c5fb121cf6
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C721, Relevance: 60.4, APIs: 16, Strings: 18, Instructions: 891
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 0040C8CF
WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 0040C8E1
CloseHandle.KERNEL32(00000000), ref: 0040C8E8
CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,0000000E), ref: 0040C947
GetLastError.KERNEL32 ref: 0040C94D
GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\DpiScaling.exe,00000104), ref: 0040C970

Part of subcall function 0040EEF9: __EH_prolog.LIBCMT ref: 0040EEFE

Strings

Inj, xrefs: 0040C8F2, 0040C8FD, 0040C912
(64 bit), xrefs: 0040C9BD
ProductName, xrefs: 0040C97C
Remcos_Mutex_Inj, xrefs: 0040C8C0
User, xrefs: 0040D21A
origmsc, xrefs: 0040CA1F
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040C981
licence, xrefs: 0040CD2E
Access level: , xrefs: 0040D22B
[Info], xrefs: 0040D23D
exepath, xrefs: 0040CCF3, 0040CDD4
(32 bit), xrefs: 0040C9C4
Administrator, xrefs: 0040D1F6
C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 0040C968, 0040CC58
Software\, xrefs: 0040C824
licence_code.txt, xrefs: 0040C795
sdghbq, xrefs: 0040CA6E
aqyuio-EG6HAK, xrefs: 0040C92B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Mutex$CloseCreateErrorFileH_prologHandleLastModuleNameObjectOpenSingleWait
String ID: (32 bit)$ (64 bit)$Access level: $Administrator$C:\Windows\SysWOW64\DpiScaling.exe$Inj$ProductName$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$User$[Info]$aqyuio-EG6HAK$exepath$licence$licence_code.txt$origmsc$sdghbq
API String ID: 1247502528-2904634204
Opcode ID: cf35bda1d201136131f362457f3c7ae1e204cc32d506f3a5db34f07f357ae97b
Instruction ID: da8739843095e03b1d33fcebf912fddb9b78e4c167fe638804d04a3a52fe375c
Opcode Fuzzy Hash: cf35bda1d201136131f362457f3c7ae1e204cc32d506f3a5db34f07f357ae97b
Instruction Fuzzy Hash: AE42A360B043416AD715B772D866B7F26998B81348F04443FF842BB2E3EE7C9D49879E

Uniqueness

Uniqueness Score: -1.00%

Function 0041464D, Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 298
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414668
CreateCompatibleDC.GDI32(00000000), ref: 00414674

Part of subcall function 00414A84: GetMonitorInfoW.USER32(?,?), ref: 00414AA4

Part of subcall function 00414AD0: GetMonitorInfoW.USER32(?,?), ref: 00414AF0

CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 004146C2
DeleteDC.GDI32(00000000), ref: 004146D6
DeleteDC.GDI32(00000000), ref: 004146D9
DeleteObject.GDI32(?), ref: 004146DD
SelectObject.GDI32(00000000,00000000), ref: 004146E7
DeleteDC.GDI32(00000000), ref: 004146F8
DeleteDC.GDI32(00000000), ref: 004146FB
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00414737
GetCursorInfo.USER32(?,?,?), ref: 00414752
GetIconInfo.USER32(?,?), ref: 00414766
DeleteObject.GDI32(?), ref: 0041478B
DeleteObject.GDI32(?), ref: 00414794
DrawIcon.USER32 ref: 004147A3
GetObjectA.GDI32(?,00000018,?), ref: 004147B7
LocalAlloc.KERNEL32(00000040,00000001,?,?), ref: 0041481D
GlobalAlloc.KERNELBASE(00000000,?,?,?), ref: 00414886
GetDIBits.GDI32(00000000,?,00000000,?,00000000,00000000,00000000), ref: 004148AA
DeleteDC.GDI32(?), ref: 004148BD
DeleteDC.GDI32(00000000), ref: 004148C0
DeleteObject.GDI32(?), ref: 004148C5
GlobalFree.KERNEL32 ref: 004148CF
DeleteObject.GDI32(?), ref: 00414974
GlobalFree.KERNEL32 ref: 0041497B
DeleteDC.GDI32(?), ref: 0041498A
DeleteDC.GDI32(00000000), ref: 0041498D

Strings

DISPLAY, xrefs: 00414661

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Delete$Object$Info$CreateGlobal$AllocCompatibleFreeIconMonitor$BitmapBitsCursorDrawLocalSelectStretch
String ID: DISPLAY
API String ID: 517350757-865373369
Opcode ID: 8c51480ac7d0ecb1121c4ea5ceb200defcdc85f9adc2fe552741c5aabcffd22f
Instruction ID: bc786578904bbf8763350c603b9f37c893e679db2ec5fdced74ecc45254718a5
Opcode Fuzzy Hash: 8c51480ac7d0ecb1121c4ea5ceb200defcdc85f9adc2fe552741c5aabcffd22f
Instruction Fuzzy Hash: 6BB1A175900219AFDB14DFA0DD45BEE7BB8FF49711F00402AFA09E7290DB78AA45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041169C, Relevance: 28.7, APIs: 6, Strings: 10, Instructions: 728
sleepnetworkthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,751443E0,0046B570,00000000), ref: 004116ED

Part of subcall function 0041693E: GetLocalTime.KERNEL32(00000000), ref: 00416958

gethostbyname.WS2_32(00000000), ref: 004118DE
htons.WS2_32(00000000), ref: 0041191C
Sleep.KERNEL32(00000000,00000002), ref: 004120E0

Part of subcall function 00410767: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,0046B510), ref: 00410783
Part of subcall function 00410767: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041079C
Part of subcall function 00410767: RegCloseKey.KERNELBASE(00000000), ref: 004107A7

GetTickCount.KERNEL32 ref: 00411B0E

Part of subcall function 00404A63: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AD6

CreateThread.KERNEL32 ref: 0041208F

Strings

Connected to , xrefs: 0041196E
Connecting to , xrefs: 00411864
[Info], xrefs: 00411896, 004119A6, 00412068
name, xrefs: 00411A74
Disconnected!, xrefs: 00412059
C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 00411AAB
(TLS), xrefs: 0041182F
aqyuio-EG6HAK, xrefs: 00411AF7
3.1.2 Pro, xrefs: 00411B8C
%I64u, xrefs: 00411A08

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Sleep$CloseCountCreateLocalOpenQueryThreadTickTimeValuegethostbynamehtonssend
String ID: (TLS)$%I64u$3.1.2 Pro$C:\Windows\SysWOW64\DpiScaling.exe$Connected to $Connecting to $Disconnected!$[Info]$aqyuio-EG6HAK$name
API String ID: 2130001850-1980302195
Opcode ID: 5716c39cccb8197ffc6334e522074ae87d942ea51348cbad42531a0cd6aaf689
Instruction ID: 22e8d103ae15c4167d55507a812d577185ed020b728874cceef96e24ab8a0c3d
Opcode Fuzzy Hash: 5716c39cccb8197ffc6334e522074ae87d942ea51348cbad42531a0cd6aaf689
Instruction Fuzzy Hash: 75428D71A002155ACB18F722DC56AEE7375AB50308F5041BFB40AB71E2EF7C5F86CA89

Uniqueness

Uniqueness Score: -1.00%

Function 00408E28, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 00408E8A
Sleep.KERNELBASE(000001F4), ref: 00408E95
GetForegroundWindow.USER32 ref: 00408E9B
GetWindowTextLengthA.USER32(00000000), ref: 00408EA4
GetWindowTextA.USER32 ref: 00408ED8
Sleep.KERNEL32(000003E8,00000000,-00000001,?), ref: 00408FAB

Part of subcall function 004089CC: SetEvent.KERNEL32(?,?,?,?,00409E65), ref: 004089F9

Strings

[ , xrefs: 00408F3F
], xrefs: 00408F44
minutes }, xrefs: 00408FD8
{ User has been idle for , xrefs: 00408FE4

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [ ${ User has been idle for $ ]$ minutes }
API String ID: 911427763-3343415809
Opcode ID: f5a1235f64c3ad0fa71ad7f82f5fb05e871649314a3f02b1bed499845751f9ec
Instruction ID: 4bc5903484beb61e339ab9eca1fd1f122053bf6a6715cb648f32c305f500e31e
Opcode Fuzzy Hash: f5a1235f64c3ad0fa71ad7f82f5fb05e871649314a3f02b1bed499845751f9ec
Instruction Fuzzy Hash: 4651D0716043419BC214FB35D98AA6E7795AB95318F40093FF586B32E2EF7C9E04868F

Uniqueness

Uniqueness Score: -1.00%

Function 00417CAD, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 00417E04

Strings

\system32, xrefs: 00417D27
UserProfile, xrefs: 00417DD8
Temp, xrefs: 00417CDF
\SysWOW64, xrefs: 00417D79
SystemDrive, xrefs: 00417D0A
AppData, xrefs: 00417DD1
WinDir, xrefs: 00417D14, 00417D36, 00417D88
ProgramFiles, xrefs: 00417DCA

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-1609423294
Opcode ID: 516d10be3d94e84db8d73de1aabff1f7ded6a5de185679ad66d8b9a5d71015be
Instruction ID: 3d9faba19d0fb364bbb50664029af7b328d3b84aa2d39c76ce4744e2ff1bde3f
Opcode Fuzzy Hash: 516d10be3d94e84db8d73de1aabff1f7ded6a5de185679ad66d8b9a5d71015be
Instruction Fuzzy Hash: 614154711082009BC608FB62DC52CFFB7A8AED0759F10053FB952621E2EE785E89C65F

Uniqueness

Uniqueness Score: -1.00%

Function 00408AC3, Relevance: 9.2, APIs: 6, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00002710), ref: 00408ADC

Part of subcall function 00408A12: CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00408AE9), ref: 00408A48
Part of subcall function 00408A12: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00408AE9), ref: 00408A57
Part of subcall function 00408A12: Sleep.KERNEL32(00002710,?,?,?,00408AE9), ref: 00408A84
Part of subcall function 00408A12: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00408AE9), ref: 00408A8B

CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 00408B18
GetFileAttributesW.KERNELBASE(00000000), ref: 00408B29
SetFileAttributesW.KERNELBASE(00000000,00000080), ref: 00408B40
PathFileExistsW.KERNELBASE(00000000,00000000,00000000,00000012), ref: 00408BB9

Part of subcall function 0041762A: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,00413490), ref: 00417647

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,0045E66C), ref: 00408CB1

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$ChangeCloseDirectoryExistsFindNotificationPathSize
String ID:
API String ID: 110482706-0
Opcode ID: 2e95d99fa155219b829f0efbc1e9edeba58250e87363133c63c153985f882dfe
Instruction ID: e82c794ef0d128f6615534b69eb3fdd19616660d0f4166b3efc0ba5e8f9af3f1
Opcode Fuzzy Hash: 2e95d99fa155219b829f0efbc1e9edeba58250e87363133c63c153985f882dfe
Instruction Fuzzy Hash: A741C27160430157CB19BB71CD669AF77A99F81308F00053FF942B72E2EF7C9A05869A

Uniqueness

Uniqueness Score: -1.00%

Function 0040868D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00408667: GetKeyboardLayout.USER32 ref: 0040866C

CreateThread.KERNELBASE(00000000,00000000,00408785,?,00000000,00000000), ref: 00408704
CreateThread.KERNELBASE(00000000,00000000,0040876A,?,00000000,00000000), ref: 00408714
CreateThread.KERNELBASE(00000000,00000000,Function_00008794,?,00000000,00000000), ref: 00408720

Part of subcall function 00409277: GetLocalTime.KERNEL32(?,?,00000000), ref: 00409285
Part of subcall function 00409277: SetEvent.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000000), ref: 0040932B

Strings

Offline Keylogger Started, xrefs: 004086B7, 004086C3, 004086D5
[Info], xrefs: 004086E0

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CreateThread$EventKeyboardLayoutLocalTime
String ID: Offline Keylogger Started$[Info]
API String ID: 1520917520-3531117058
Opcode ID: 8f158dbe059707dcff34fd17e91c4f7f7e77b558e7ae53685ed04657b70b5afc
Instruction ID: 8ff03be2f967a1cba5815ffa35df19f5d3f233f2d1808dd9ed804f7afb26ad18
Opcode Fuzzy Hash: 8f158dbe059707dcff34fd17e91c4f7f7e77b558e7ae53685ed04657b70b5afc
Instruction Fuzzy Hash: 050169A16003087AD62476368DCAC7F7A1CCA8279CB54057FF985321C3DD795E15C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 00417595, Relevance: 7.6, APIs: 5, Instructions: 69
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00412EFD,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000000,00000000,?,004176BF,00000000,00000000), ref: 004175D4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000000,00000000,?,004176BF,00000000,00000000,00000000), ref: 004175F0
CloseHandle.KERNEL32(00000000,?,00000000,00000000,?,004176BF,00000000,00000000,00000000), ref: 004175FC
WriteFile.KERNELBASE(00000000,00000000,00000000,00412EFD,00000000,?,00000000,00000000,?,004176BF,00000000,00000000,00000000), ref: 0041760E
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,00000000,?,004176BF,00000000,00000000,00000000), ref: 0041761B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
String ID:
API String ID: 1087594267-0
Opcode ID: 208603a4104985b557d5b2920daba598690c3bdd8bc1b5a0d3e68ce1df20cc00
Instruction ID: d9d04c74c1270e28f084aa363ec3a3f7c1542675f4bab1acb40356a7b1a6b8f2
Opcode Fuzzy Hash: 208603a4104985b557d5b2920daba598690c3bdd8bc1b5a0d3e68ce1df20cc00
Instruction Fuzzy Hash: 3311E071208218BFEB104F289C89EFB7BBDEB02335F104267FA15C6680D6748E818669

Uniqueness

Uniqueness Score: -1.00%

Function 0044601B, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00446024
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00446047

Part of subcall function 0043E44C: RtlAllocateHeap.NTDLL(00000000,0042F96C,?,?,004310B7,?,?,00000000,?,?,0040BB2E,0042F96C,?,?,?,?), ref: 0043E47E

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044606D
_free.LIBCMT ref: 00446080
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044608F

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: facede587c43ecea8b1a248a2ac8082bf58a8227869f904bbf3111c51c31392d
Instruction ID: 7639030d5dc5c0a98d1e5821bfb61a6dadfc4b8e9ff8b43d3f638b7e4c13198c
Opcode Fuzzy Hash: facede587c43ecea8b1a248a2ac8082bf58a8227869f904bbf3111c51c31392d
Instruction Fuzzy Hash: B801D472602B117B37219A775C8CC7B696DDEC7BA671A012FFD04C6251DE69CC0281BA

Uniqueness

Uniqueness Score: -1.00%

Function 004142E3, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041464D: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414668
Part of subcall function 0041464D: CreateCompatibleDC.GDI32(00000000), ref: 00414674

SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 0041438D
SHCreateMemStream.SHLWAPI(00000000), ref: 004143E3

Part of subcall function 00404DC7: closesocket.WS2_32(?), ref: 00404DCD

Strings

image/jpeg, xrefs: 004143A7
88577696, xrefs: 00414361, 004144FD

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Create$Stream$Compatibleclosesocket
String ID: 88577696$image/jpeg
API String ID: 3038386933-142191079
Opcode ID: c8a09916276ca95fef88c0e93a6f3decbed3600a4d4fd02f37c715df75cddd5f
Instruction ID: e20e01b0656202f6c276f96d3320d1d93c0b2072f7a845b91fa04a72e811acb7
Opcode Fuzzy Hash: c8a09916276ca95fef88c0e93a6f3decbed3600a4d4fd02f37c715df75cddd5f
Instruction Fuzzy Hash: 7881AB716082419BC724FB25C845AEFB3A9AFC5314F00493FF586A71D1EF7899858B8B

Uniqueness

Uniqueness Score: -1.00%

Function 004107DE, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0045E6A8), ref: 004107ED
RegSetValueExA.KERNELBASE(0045E6A8,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,00417C31,WallpaperStyle,0045E6A8,?,00000001,00000000,00000000), ref: 00410815
RegCloseKey.ADVAPI32(0045E6A8,?,?,00417C31,WallpaperStyle,0045E6A8,?,00000001,00000000,00000000,?,00412F12), ref: 00410820

Strings

Control Panel\Desktop, xrefs: 004107E7, 004107F7

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Control Panel\Desktop
API String ID: 1818849710-27424756
Opcode ID: 811142fb31a0c638824761d3e9a76042dd66b74ff9ed7d7e58282b1bc3f2b784
Instruction ID: ca4048befb888e13fd65d460a775c87d644506e1cfde528a41ec711cba680a84
Opcode Fuzzy Hash: 811142fb31a0c638824761d3e9a76042dd66b74ff9ed7d7e58282b1bc3f2b784
Instruction Fuzzy Hash: 78F09072501208BBCB00AFA1DE05EEE376CEF05751F10826ABD05A61A1EB759E44DA94

Uniqueness

Uniqueness Score: -1.00%

Function 00404C67, Relevance: 6.1, APIs: 4, Instructions: 128synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,000000FF,00000000,00000000,0046B32C), ref: 00404D54
CreateThread.KERNELBASE ref: 00404D67
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00404C01,00000000,00000098,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00404D72
FindCloseChangeNotification.KERNELBASE(00000000,?,?,00404C01,00000000,00000098,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00404D7B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
String ID:
API String ID: 2579639479-0
Opcode ID: 5fe7781ae644ef96be52265b2fabd0e2b86620bfca0e49f26321667353cd869b
Instruction ID: c265fd5039bacd02fa86a322ff43fa943b152c03d7547c6acf997b41f97d5a0d
Opcode Fuzzy Hash: 5fe7781ae644ef96be52265b2fabd0e2b86620bfca0e49f26321667353cd869b
Instruction Fuzzy Hash: AD4160B1900209AFCF10EBA1CC55DEEBB7DAF45324F04022FF912B32D1DB78A9058A65

Uniqueness

Uniqueness Score: -1.00%

Function 00408A12, Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00408AE9), ref: 00408A48
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00408AE9), ref: 00408A57
Sleep.KERNEL32(00002710,?,?,?,00408AE9), ref: 00408A84
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00408AE9), ref: 00408A8B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationSizeSleep
String ID:
API String ID: 4068920109-0
Opcode ID: dbaccab9d108917095f91185bfa7949073aa41fd068aa3b01bdc64c3230f10a4
Instruction ID: 0cb76ba4b3e68d34698f432b808fce95993bd1207c552f691d8829c74f91d3a2
Opcode Fuzzy Hash: dbaccab9d108917095f91185bfa7949073aa41fd068aa3b01bdc64c3230f10a4
Instruction Fuzzy Hash: 6111CB707003846ED72157669E8591A3B58E741345F04047FF5C162AD2CFB85D844F5E

Uniqueness

Uniqueness Score: -1.00%

Function 0041762A, Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,00413490), ref: 00417647
GetFileSize.KERNEL32(00000000,00000000,00000000,?,00413490), ref: 0041765B
ReadFile.KERNELBASE(00000000,00000000,00000000,00413490,00000000,00000000,00000000,?,00413490), ref: 00417680
FindCloseChangeNotification.KERNELBASE(00000000,00413490), ref: 0041768E

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationReadSize
String ID:
API String ID: 2135649906-0
Opcode ID: 32e8ac9a69c6bebe047c5e83f8ea46623d8abfaaa2380fe672d33a556c25f340
Instruction ID: 81fbfe22fc44fcdf3a4c4610403995da734f7b5bfc0ad3c47e543f6cb8880554
Opcode Fuzzy Hash: 32e8ac9a69c6bebe047c5e83f8ea46623d8abfaaa2380fe672d33a556c25f340
Instruction Fuzzy Hash: DA01F4B454131CBFE7105F65AC89EFF377CEB463A5F1002AAF804A3281DAB49E419679

Uniqueness

Uniqueness Score: -1.00%

Function 004087CA, Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32 ref: 004087E9
GetMessageA.USER32 ref: 004087FC
TranslateMessage.USER32(?), ref: 0040880A
DispatchMessageA.USER32 ref: 00408814

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Message$DispatchHookTranslateWindows
String ID:
API String ID: 1978648212-0
Opcode ID: a2f0092af21508b21bc89101fcd29a713b03af48e15a1f158e90e53425c661e2
Instruction ID: 4219cd0455bd3eb343b31c8b44a7696d718d07d27898b5c346e80187127e77a3
Opcode Fuzzy Hash: a2f0092af21508b21bc89101fcd29a713b03af48e15a1f158e90e53425c661e2
Instruction Fuzzy Hash: 1EF0FF31900306ABDB205FB69E0CD5777BCEBD6B11750447FA885E2156FEB8D441C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 004049C8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,?,00000010), ref: 004049E3

Strings

[ERROR], xrefs: 00404A40
TLS Authentication failed, xrefs: 00404A31

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: connect
String ID: TLS Authentication failed$[ERROR]
API String ID: 1959786783-1964023390
Opcode ID: f87987647b3e5421e7eca1d21f62d0068dd3f74e15ab50c026f3f11a335bd517
Instruction ID: 16b1bc8a2ba919ba00c6f378c6a110e40e6721499c9a4c6d5af962591d81c8e6
Opcode Fuzzy Hash: f87987647b3e5421e7eca1d21f62d0068dd3f74e15ab50c026f3f11a335bd517
Instruction Fuzzy Hash: C401E9717802009BDF18BEA699C65663B559F82354B04006BEF01AF2C7E97ACC40CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 0043BE1A, Relevance: 4.6, APIs: 3, Instructions: 115COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043BED2
_free.LIBCMT ref: 0043BEEE
_free.LIBCMT ref: 0043BEF8

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7ac4ee6c2762be188d5f3942cb466bcff48e7d0416c9a13c33d163462326b308
Instruction ID: 985adc3bf49c1f46ae50dfc63e41181fddd5d6fbe0a6b3e8d6301365cf498e81
Opcode Fuzzy Hash: 7ac4ee6c2762be188d5f3942cb466bcff48e7d0416c9a13c33d163462326b308
Instruction Fuzzy Hash: 3F3147369001159BCB24AF6D9882BFF77A4EF4C714F64105FEB059B280EB395D02C6D8

Uniqueness

Uniqueness Score: -1.00%

Function 00410767, Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,0046B510), ref: 00410783
RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041079C
RegCloseKey.KERNELBASE(00000000), ref: 004107A7

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 6bd7f119f1a30f609ff7fff0cbae0d2fcd5e7f8225b79470f7a1d19ac4edc808
Instruction ID: 91171cf6c373fd634bb461f9147d060b88ad66283945c17841a74b3fcf9c2b47
Opcode Fuzzy Hash: 6bd7f119f1a30f609ff7fff0cbae0d2fcd5e7f8225b79470f7a1d19ac4edc808
Instruction Fuzzy Hash: 40018B31801229BBCF219F91DC48DEB7F29EF06750F004166BE18621A1E67199A5DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0044609E, Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004460A2
_free.LIBCMT ref: 004460DB
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004460E2

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: f604ef2608959bd6be7a9ae4e6badaf5875b997bf88c27e943eda7d9b23522ab
Instruction ID: 927440552d16eed2b149941d940e25e70e636bbe4ff7d926c8a4e614b46342ca
Opcode Fuzzy Hash: f604ef2608959bd6be7a9ae4e6badaf5875b997bf88c27e943eda7d9b23522ab
Instruction Fuzzy Hash: C1E0653710592167B22262366C49D6F2619CFD77B6B2A012FF505862829E29CD0640EA

Uniqueness

Uniqueness Score: -1.00%

Function 004105BC, Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004105DC
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046B510), ref: 004105FA
RegCloseKey.KERNELBASE(?), ref: 00410605

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: d4d56bba40c1f5cecf7ef9f11087ef87271ce5720a888dc508863279777ea07e
Instruction ID: e2648c88b8fa1738a9a370a1c30e346521a47d0da847394e8f5671ffc68a7bcf
Opcode Fuzzy Hash: d4d56bba40c1f5cecf7ef9f11087ef87271ce5720a888dc508863279777ea07e
Instruction Fuzzy Hash: E2F06D7290020CFFDF109FA09D05BEEBBBCEB45B11F1080A2BA04E6191D2B09B54DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00410619, Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,00000000,00000000), ref: 0041063B
RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,00000400), ref: 0041065A
RegCloseKey.ADVAPI32(00000000), ref: 00410663

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 4fa026b9c4da0cbc5d4fdab47b8b8a58821c0e4b98b8f74efc95fba4c0203e52
Instruction ID: b72248c67ffa4ecc7d67575a745449e886294ca75085c22ca561212ffc0bd068
Opcode Fuzzy Hash: 4fa026b9c4da0cbc5d4fdab47b8b8a58821c0e4b98b8f74efc95fba4c0203e52
Instruction Fuzzy Hash: 9AF0627560021CFBDB109B90DD05FED777CEB04B01F1040A6BB05B6191D6B5AB95DBAC

Uniqueness

Uniqueness Score: -1.00%

Function 00416B7F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,00000001), ref: 00416B93

Strings

@, xrefs: 00416B89

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 01573e7a651ca653707dd22cdeefb8ec5494795f384bce349eedea7c34606281
Instruction ID: 8f9fb7489b8fbe3f1ba54efd7827ff3a8e73d493e0224ed05ee327fcceb4f11f
Opcode Fuzzy Hash: 01573e7a651ca653707dd22cdeefb8ec5494795f384bce349eedea7c34606281
Instruction Fuzzy Hash: 80D017F58023189FC720DFA8E904A8DBBFCEB08214F00016AEC49E3300E774AC108B96

Uniqueness

Uniqueness Score: -1.00%

Function 00414162, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00414178

Strings

1AA, xrefs: 0041416B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: FromGdipImageLoadStream
String ID: 1AA
API String ID: 3292405956-844192247
Opcode ID: 72924f45818182c48dd9f944bd2b9b0fda5ce5c49a87623245e79c44ceb48e63
Instruction ID: 173fb968c8c62c3d6fe719f390b580b45e4cee87470222d97213f9fa737e7cba
Opcode Fuzzy Hash: 72924f45818182c48dd9f944bd2b9b0fda5ce5c49a87623245e79c44ceb48e63
Instruction Fuzzy Hash: CAD0C772500714AFC7115F55DD00A92BBECEB15762F10843BE955C3621E7B1AC548BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00414188, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4COMMON

Download Yara Rule

APIs

GdipDisposeImage.GDIPLUS(?,0041413C), ref: 00414191

Strings

1AA, xrefs: 0041418B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: DisposeGdipImage
String ID: 1AA
API String ID: 1024088383-844192247
Opcode ID: b0e75fcddd0eb54106ea34c9781991cde1f78c1f91bf65f7f221eca6b2163d7f
Instruction ID: bcea390f4d7c8bad85be4310cb9e8d9b9a74784dc392988f52427195d4dbe278
Opcode Fuzzy Hash: b0e75fcddd0eb54106ea34c9781991cde1f78c1f91bf65f7f221eca6b2163d7f
Instruction Fuzzy Hash: 84A001B54516009F8F025FB1DA085197EA1AB8B30A725C09BD40559226D7B7842ADE5A

Uniqueness

Uniqueness Score: -1.00%

Function 0043E49A, Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043E4BB

Part of subcall function 0043E44C: RtlAllocateHeap.NTDLL(00000000,0042F96C,?,?,004310B7,?,?,00000000,?,?,0040BB2E,0042F96C,?,?,?,?), ref: 0043E47E

RtlReAllocateHeap.NTDLL(00000000,?,?,004287A9,0000000F,?,0042D66F,48478D10,0000000F,0042A22F,?,004287A9,0042C1D9,?,?,00000000), ref: 0043E4F7

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: e13b3ef880d09f97d598a730648fcd9887f62a72b4154a64aba1c62b2c1d991a
Instruction ID: 93a49e40fa6d82834f5731ade4898e55e3e647c54295ea5f60dacb970d54f46e
Opcode Fuzzy Hash: e13b3ef880d09f97d598a730648fcd9887f62a72b4154a64aba1c62b2c1d991a
Instruction Fuzzy Hash: 7CF0C831202105759B213A23AC00A6B27199FED770F15A12BF804962D2EA7CD80185BD

Uniqueness

Uniqueness Score: -1.00%

Function 00401626, Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8739f5047dbf2265d6c6b80e88be59afaa52b2ddbf37bed7e51993e6aafdcb4
Instruction ID: 374f1b9c642aff8eae4c423f5ef890c8674a418e1174cccca316b678e0f74da2
Opcode Fuzzy Hash: c8739f5047dbf2265d6c6b80e88be59afaa52b2ddbf37bed7e51993e6aafdcb4
Instruction Fuzzy Hash: 8AF0B4712141045BCF0CCF359C50B6937595B01369B644B3FF01ED62E0D73AE945C65C

Uniqueness

Uniqueness Score: -1.00%

Function 0043BC9C, Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043BCEA

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 54ee63205acb6671c52bcc139271b6ad90819ef63c9034b2c94aa4f9d111d78b
Instruction ID: 3dc0ce3d863a20fee09724c0676057e590de4732d6abb284b54a3bb182b85610
Opcode Fuzzy Hash: 54ee63205acb6671c52bcc139271b6ad90819ef63c9034b2c94aa4f9d111d78b
Instruction Fuzzy Hash: 60E0E522601911569631373B6C0576F0145DBC9339F11322FF611972C1DFAC480365DF

Uniqueness

Uniqueness Score: -1.00%

Function 0043BCF5, Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043BD3E

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7941ef54860345ff0b89531de9c08116ef9ceb920e5f15597b34753809234a04
Instruction ID: fd89ffe357efde7fac8a3dafd2506ebb74752ce8110f37433eca878ae9bbe253
Opcode Fuzzy Hash: 7941ef54860345ff0b89531de9c08116ef9ceb920e5f15597b34753809234a04
Instruction Fuzzy Hash: B2E02B2260291120E621373B6C09B7F0145DBC9339F21322FF624962C2EFBC480261DF

Uniqueness

Uniqueness Score: -1.00%

Function 00416E4B, Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00416E57
GetWindowTextW.USER32 ref: 00416E6A

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: 4d3f25fae02bb5150cff7ed20a42d59257456ec2513058df2b2904945ecc2f9b
Instruction ID: c791c991259b562d298b274d84577ba9dc47fe87bc89243c5d6615721511b258
Opcode Fuzzy Hash: 4d3f25fae02bb5150cff7ed20a42d59257456ec2513058df2b2904945ecc2f9b
Instruction Fuzzy Hash: 38D01271B1032857EA2477B49D4DAA6776C9745711F0005AABA29D3182D9B8990487D4

Uniqueness

Uniqueness Score: -1.00%

Function 00402CED, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402CF2

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c1e758a6f6a4f3be9a6e84c47e41c727aedcc25d09d8f09317cdda87c8bdd2e7
Instruction ID: aa854f93e2bb7ea2c2b492e58b955b91c64af8329a39e3a36f818d2d713549dc
Opcode Fuzzy Hash: c1e758a6f6a4f3be9a6e84c47e41c727aedcc25d09d8f09317cdda87c8bdd2e7
Instruction Fuzzy Hash: E0218271B002155BCB15EFA68A8A6BE77AAAF84314F10003FE515BB2C1DFBC5E018799

Uniqueness

Uniqueness Score: -1.00%

Function 00404A63, Relevance: 1.6, APIs: 1, Instructions: 65networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,00000000,00000000,00000000), ref: 00404AD6

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 5935970f3abb869c86749b341f07007b29ff741c21591f4bc44911d25dbab40b
Instruction ID: dfe98e192ee72379238824daa36406d664015d436f0d317f199484c7122155df
Opcode Fuzzy Hash: 5935970f3abb869c86749b341f07007b29ff741c21591f4bc44911d25dbab40b
Instruction Fuzzy Hash: 59212471900209AAC709FB61D956EEEB734AF10314F10813FB5127B1E2EFB86905CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00418146, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041814B

Part of subcall function 00402708: std::_Deallocate.LIBCONCRT ref: 00402B02

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: DeallocateH_prologstd::_
String ID:
API String ID: 3881773970-0
Opcode ID: 14faacb5e17301837ed39fd14b5f92adece742a62e3c94a156eac834ba4d7e54
Instruction ID: f251e80aafa9e99547ba287b0894bb6732b6e1b048f20ca6e3429bb9b4af4e9a
Opcode Fuzzy Hash: 14faacb5e17301837ed39fd14b5f92adece742a62e3c94a156eac834ba4d7e54
Instruction Fuzzy Hash: 73117F71A001149FCB05EF69C9866ADBBB6EF85314F10416FF500AB2E1DBB50940DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00446D95, Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043DE08: RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,00440857,00000001,00000364,?,00000000,00000000,00436288,00000000,?,?,0043630C,00000000), ref: 0043DE49

_free.LIBCMT ref: 00446E01

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 68b2543d5f3980daab19e4944255c11d11a5a3f03842e79472fef1e73b65b123
Instruction ID: 09e18c468ce93fb60fe811cd8d4c44f943ef2092b77a45f58f80fc906e623ce7
Opcode Fuzzy Hash: 68b2543d5f3980daab19e4944255c11d11a5a3f03842e79472fef1e73b65b123
Instruction Fuzzy Hash: CA0149726003056BF7218F66DC8199EFBEDEB8A330F65052EE584933C0EA34A845C779

Uniqueness

Uniqueness Score: -1.00%

Function 00421B06, Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00421BDE: recv.WS2_32(?,?,?,?), ref: 00421BE9

WSAGetLastError.WS2_32 ref: 00421B28

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorLastrecv
String ID:
API String ID: 2514157807-0
Opcode ID: 775403e6fa1c86be6d548b2784bdb667b06ff57a934a787a42b00bd7c27719c5
Instruction ID: db9b56446c30db72c3ae9b0c2b0b3fc545fc8ab1e2f580f0590a1e670c5f42ca
Opcode Fuzzy Hash: 775403e6fa1c86be6d548b2784bdb667b06ff57a934a787a42b00bd7c27719c5
Instruction Fuzzy Hash: E5F0283170C2691EDF189559FC948393B609F65330BB0432BF63A825F0FA28B8405109

Uniqueness

Uniqueness Score: -1.00%

Function 0043DE08, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,00440857,00000001,00000364,?,00000000,00000000,00436288,00000000,?,?,0043630C,00000000), ref: 0043DE49

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: faf0b046366be3b4e1c4259a323bd0b747018b7f3f989aab24884193072beefa
Instruction ID: c7fdba7887a7be3fed700e997b237f49efac61be0a3d8f69bdc37076d16aef63
Opcode Fuzzy Hash: faf0b046366be3b4e1c4259a323bd0b747018b7f3f989aab24884193072beefa
Instruction Fuzzy Hash: FAF02B31D04A2066DB202E62BC07B1B3F59DBA9BA0F146027BC04AE181CB38D800C6ED

Uniqueness

Uniqueness Score: -1.00%

Function 00421B77, Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00421BF7: send.WS2_32(?,?,?,?), ref: 00421C02

WSAGetLastError.WS2_32 ref: 00421B99

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorLastsend
String ID:
API String ID: 1802528911-0
Opcode ID: 8cb09f3eb5d4e7103086a5d97c8df369fda03b4f8b26fdb2e33335adb8823741
Instruction ID: a1a50308534580ef51ece1588d92efc45be44e1c27f0dc1512bc4fe0cc7dfc97
Opcode Fuzzy Hash: 8cb09f3eb5d4e7103086a5d97c8df369fda03b4f8b26fdb2e33335adb8823741
Instruction Fuzzy Hash: 11F062353081245A9F189959FCA48393B659F65330F70436FF93AC66F0FA28B9405645

Uniqueness

Uniqueness Score: -1.00%

Function 00414266, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(0046AE98,?,00000000), ref: 0041428B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: GdiplusStartup
String ID:
API String ID: 2503201367-0
Opcode ID: 8d2d44d3550e8da7c399f89897b08bdc5403ae2d24add96f0c88bf4ea1884661
Instruction ID: 801cef195dad3ac3ae852b95bd8bd506648fe3022e78b6b349468b1c93acdd98
Opcode Fuzzy Hash: 8d2d44d3550e8da7c399f89897b08bdc5403ae2d24add96f0c88bf4ea1884661
Instruction Fuzzy Hash: F2F0C2715002045AC624FBAAEC839BE772C9690344F54013EF905A31E2FBB818D4CADF

Uniqueness

Uniqueness Score: -1.00%

Function 0043E44C, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0042F96C,?,?,004310B7,?,?,00000000,?,?,0040BB2E,0042F96C,?,?,?,?), ref: 0043E47E

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4fdf2a0cd2aadbaf0304e2207f6e990293a450f292b63d17a6160a6151116311
Instruction ID: d40488a30f5964f711f4d1a35c7ad676e9464380fa08b208e059b77d9a7df93f
Opcode Fuzzy Hash: 4fdf2a0cd2aadbaf0304e2207f6e990293a450f292b63d17a6160a6151116311
Instruction Fuzzy Hash: 52E02B3110622066EA3036A39D0075B3A4CDF7D7A0F092127FD55A62C1CBADCC0187ED

Uniqueness

Uniqueness Score: -1.00%

Function 00404952, Relevance: 1.5, APIs: 1, Instructions: 28networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000000,00000001,00000006), ref: 00404973

Part of subcall function 0040499E: WSAStartup.WS2_32(00000202,00000000), ref: 004049B3

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Startupsocket
String ID:
API String ID: 3996037109-0
Opcode ID: 0009efa447480ac7162edf8e32fe21f236245f444557579be3d43ba06963fae9
Instruction ID: 4550f6aa970da0b6b49d050303d774881638cbec4a8567ac9039073ae3dcca50
Opcode Fuzzy Hash: 0009efa447480ac7162edf8e32fe21f236245f444557579be3d43ba06963fae9
Instruction Fuzzy Hash: DFF0A0F04417905ADB304FB858447977BC46B92718F54597FE6D2737C2C2B95808D72A

Uniqueness

Uniqueness Score: -1.00%

Function 00970000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 00970023

Memory Dump Source

Source File: 00000019.00000002.493606771.0000000000970000.00000040.00000001.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_970000_DpiScaling.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Uniqueness

Uniqueness Score: -1.00%

Function 009F0000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 009F0023

Memory Dump Source

Source File: 00000019.00000002.493631837.00000000009F0000.00000040.00000001.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_9f0000_DpiScaling.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1

Uniqueness

Uniqueness Score: -1.00%

Function 004141FE, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GdipSaveImageToStream.GDIPLUS(?,?,?,?), ref: 00414210

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: GdipImageSaveStream
String ID:
API String ID: 971487142-0
Opcode ID: 5debb9765a4549859fa268355dac6ce20d0f9f150f3478218f230c592dadb7e1
Instruction ID: a26fa179d73d90fd1803d0784b531460a83a9f38c84072f19cc91fdffe65a59b
Opcode Fuzzy Hash: 5debb9765a4549859fa268355dac6ce20d0f9f150f3478218f230c592dadb7e1
Instruction Fuzzy Hash: E1D0C736100218BB8F111FD5DC05CDF7F59EB59761704401AF91945121D7729960D794

Uniqueness

Uniqueness Score: -1.00%

Function 0040499E, Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 004049B3

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: a19467ebbac9144480ba84676d3739668ad2e0483cebf15b16c4f36432ecd58f
Instruction ID: 517fadebee8ecea024088892bf82e9b33c168bf53452fb9c904b788729c87c7e
Opcode Fuzzy Hash: a19467ebbac9144480ba84676d3739668ad2e0483cebf15b16c4f36432ecd58f
Instruction Fuzzy Hash: 73D0123255861C4EE610AAB4AD0F8A5775CC313611F0003BBADB5935D3F680572CC6FB

Uniqueness

Uniqueness Score: -1.00%

Function 00404B4A, Relevance: 1.5, APIs: 1, Instructions: 14threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00404B5F

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: aa4e4dc2cb122f0f29472d4f798349c08e49d02c2ddb635cdb6432eff895d7aa
Instruction ID: 97ee54beef1a1a3af015763c64c00ad61b46afc2d0d95e1d7b713c08e0877e00
Opcode Fuzzy Hash: aa4e4dc2cb122f0f29472d4f798349c08e49d02c2ddb635cdb6432eff895d7aa
Instruction Fuzzy Hash: 3DC012F5910308BFAA048F74DC09C3337ACD6546007204026BD04C2201E2B5EC0085B8

Uniqueness

Uniqueness Score: -1.00%

Function 004027B1, Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 00402E72

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID:
API String ID: 1323251999-0
Opcode ID: fd0bdf4a69064b2d18053eefdb382f6c1a1f7578bd22aecd9d5e55026fa2e620
Instruction ID: 66861155bbb4e0080179f18165afdfe6f8674f019647a8e1789cc7e086e7b50e
Opcode Fuzzy Hash: fd0bdf4a69064b2d18053eefdb382f6c1a1f7578bd22aecd9d5e55026fa2e620
Instruction Fuzzy Hash: 1BC08C3208420C73CE0029C2FC0AE76BB8D9B117A0F008032FA08281A1E5B3A670A2DA

Uniqueness

Uniqueness Score: -1.00%

Function 00421BDE, Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00421BE9

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 7ad1cd26123787b90cdb024773a429c76d63a200b557d3fd2c891eb584e7a2b7
Instruction ID: d22f605dce17e7010e528aafcd0459530f7bd97adfd3d16a7e87a65e7f84fe1c
Opcode Fuzzy Hash: 7ad1cd26123787b90cdb024773a429c76d63a200b557d3fd2c891eb584e7a2b7
Instruction Fuzzy Hash: ACC02B3500430CBFCF000F90CD08C793F6DE7453307008025F90106161C673C45097A4

Uniqueness

Uniqueness Score: -1.00%

Function 00421BF7, Relevance: 1.5, APIs: 1, Instructions: 10networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00421C02

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 63192576bebbbc87e02ae285eb9f3146fb9d3150f5c9bdd3ac0e14ae196f0fe7
Instruction ID: 7656d33ba3c1a4d50a810802acb66cf4f9a2d9aa88479468d10b2f707a630d50
Opcode Fuzzy Hash: 63192576bebbbc87e02ae285eb9f3146fb9d3150f5c9bdd3ac0e14ae196f0fe7
Instruction Fuzzy Hash: 6EC09B7510460CBFDF051F91DD08C793FADE745761700C035F90555161D677D51097B5

Uniqueness

Uniqueness Score: -1.00%

Function 00990000, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.493616745.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_990000_DpiScaling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
Instruction ID: 18b5e61e04c7bcae5a7a9f8a09946595db22e2a0f492063f86ebefdf2a899b08
Opcode Fuzzy Hash: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
Instruction Fuzzy Hash: 33D01275914208EFDB04CF54D84589EBBF5EB44320F20C165E914973A0E731AE509A44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040698F, Relevance: 39.2, APIs: 7, Strings: 15, Instructions: 699COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 004069B1
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406B7C

Part of subcall function 004064B4: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064FF

Part of subcall function 004062EA: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,[Info],00000000,0046B230,?,00406E86,00000000), ref: 00406343
Part of subcall function 004062EA: WriteFile.KERNEL32(?,?,00000000,00406E86,00000000,?,000186A0,00406E86,?,00406E86,00000000,?,?,?,0000000A), ref: 0040638B
Part of subcall function 004062EA: CloseHandle.KERNEL32(00000000,?,00406E86,00000000,?,?,?,0000000A), ref: 004063C5
Part of subcall function 004062EA: MoveFileW.KERNEL32(00000000,00000000), ref: 004063DD

Part of subcall function 0041693E: GetLocalTime.KERNEL32(00000000), ref: 00416958

Part of subcall function 00404A63: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AD6

GetLogicalDriveStringsA.KERNEL32 ref: 00406C60
StrToIntA.SHLWAPI(00000000,?), ref: 00406FF8
CreateDirectoryW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00407074

Part of subcall function 004061D5: FindFirstFileW.KERNEL32(00000000,?,?,0046B230), ref: 004061F0

Strings

Downloaded file size: , xrefs: 00406EA8
Browsing directory: , xrefs: 00406C1B
Failed to download file: , xrefs: 00406F6C
Deleted file: , xrefs: 0040721B
Unable to rename file!, xrefs: 0040715A
[DEBUG], xrefs: 00406EBA
Executing file: , xrefs: 00406B92
Downloading file: , xrefs: 00406E0D
Unable to delete: , xrefs: 0040725A
Failed to upload file: , xrefs: 00406B0D
[ERROR], xrefs: 00406B1C, 00406F7E, 0040726C
[Info], xrefs: 00406B06, 00406BA4, 00406C2D, 00406E1D, 00406E24, 00406F0A, 0040722D
Uploaded file: , xrefs: 00406AF7
Downloaded file: , xrefs: 00406EF8
open, xrefs: 00406B76

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: File$Create$CloseDirectoryDriveEventExecuteFindFirstHandleLocalLogicalMoveShellStringsTimeWritesend
String ID: Browsing directory: $Deleted file: $Downloaded file size: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Failed to upload file: $Unable to delete: $Unable to rename file!$Uploaded file: $[DEBUG]$[ERROR]$[Info]$open
API String ID: 3947485326-3341346664
Opcode ID: d92b2d25ffa84245377b51d82d4c7926b1164f30858b22c548b797f3796d73a6
Instruction ID: 324d395f0d5f4d7d2309d0fb10ff7d7c3a390e856f3ea47450fd7f7ec27f2868
Opcode Fuzzy Hash: d92b2d25ffa84245377b51d82d4c7926b1164f30858b22c548b797f3796d73a6
Instruction Fuzzy Hash: 02326271A1830157C608F736C8679AF77A5AF91348F40093FF942671E3EE389A49C69B

Uniqueness

Uniqueness Score: -1.00%

Function 00409348, Relevance: 34.4, Strings: 27, Instructions: 632COMMON

Download Yara Rule

Strings

[Tab] , xrefs: 004093E4
[F9] , xrefs: 00409582
[PagDw] , xrefs: 00409404
[Down] , xrefs: 00409436
[F10] , xrefs: 00409575
[BckSp] , xrefs: 004093F4
[F8] , xrefs: 0040958F
[Start] , xrefs: 00409476
[F5] , xrefs: 004094D3
[Left] , xrefs: 00409466
[PagUp] , xrefs: 0040939C
[Esc] , xrefs: 004093AC
[Enter] , xrefs: 004093D4
[F3] , xrefs: 004094F3
[F12] , xrefs: 0040955B
[End] , xrefs: 00409486
[F6] , xrefs: 00409530
[F11] , xrefs: 00409568
[F4] , xrefs: 004094E3
[Pause] , xrefs: 004093C4
[Print] , xrefs: 00409496
[Del] , xrefs: 00409523
[F2] , xrefs: 00409503
[F7] , xrefs: 0040959C
[Up] , xrefs: 00409456
[Right] , xrefs: 00409446
[F1] , xrefs: 00409513

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID:
String ID: [BckSp] $ [Del] $ [Down] $ [End] $ [Enter] $ [Esc] $ [F10] $ [F11] $ [F12] $ [F1] $ [F2] $ [F3] $ [F4] $ [F5] $ [F6] $ [F7] $ [F8] $ [F9] $ [Left] $ [PagDw] $ [PagUp] $ [Pause] $ [Print] $ [Right] $ [Start] $ [Tab] $ [Up]
API String ID: 0-3968991301
Opcode ID: 418e792351406c6bc2b29f945ccaa6c120b83850edbbef45a90551d627787434
Instruction ID: dcd4cf1fec319d10464bc7cca56a95662c6d10d9cfb60c98197cc56930270b6c
Opcode Fuzzy Hash: 418e792351406c6bc2b29f945ccaa6c120b83850edbbef45a90551d627787434
Instruction Fuzzy Hash: 51F17CA175810172CC2C343E8FAF93A2C199253791FA4026FE843767CBD56EAE0942DF

Uniqueness

Uniqueness Score: -1.00%

Function 0040F791, Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 194threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0040F79D

Part of subcall function 004108E7: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004108F5
Part of subcall function 004108E7: RegSetValueExA.ADVAPI32(?,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040AA98,0045EF58,00000001,000000AF,Function_0005E66C), ref: 00410910
Part of subcall function 004108E7: RegCloseKey.ADVAPI32(?,?,?,?,0040AA98,0045EF58,00000001,000000AF,Function_0005E66C), ref: 0041091B

OpenMutexA.KERNEL32 ref: 0040F7D7
CloseHandle.KERNEL32(00000000), ref: 0040F7E6
CreateThread.KERNEL32 ref: 0040F83C
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0040FA04

Strings

Remcos restarted by watchdog!, xrefs: 0040F7F1
Watchdog module activated, xrefs: 0040F815, 0040F97B
\system32, xrefs: 0040F89A
[Info], xrefs: 0040F7FE, 0040F805, 0040F824, 0040F98A
[ERROR], xrefs: 0040F9BE
WDH, xrefs: 0040F846, 0040F84C, 0040FA0A
\SysWOW64, xrefs: 0040F8EC
Mutex_RemWatchdog, xrefs: 0040F7CA
Watchdog launch failed!, xrefs: 0040F9AF
WinDir, xrefs: 0040F8A9, 0040F8FB
\svchost.exe, xrefs: 0040F941

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Mutex_RemWatchdog$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[Info]$\SysWOW64$\svchost.exe$\system32
API String ID: 3018269243-3797382479
Opcode ID: 34dee7b0310a15029a24d0e5d803b8ff27242e632e4ffb4a5089b68bcbcf24e7
Instruction ID: a9428d82232955bd045a3cc7e008281540e09e6cf535bebbc240cd847c74a80f
Opcode Fuzzy Hash: 34dee7b0310a15029a24d0e5d803b8ff27242e632e4ffb4a5089b68bcbcf24e7
Instruction Fuzzy Hash: D351BE316043016BC618BB72DD1B96E77659E81759F10043FB902722E3EFBC9A08C6AF

Uniqueness

Uniqueness Score: -1.00%

Function 004055A5, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 285pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004055F1

Part of subcall function 00404A63: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AD6

__Init_thread_footer.LIBCMT ref: 0040562F
CreatePipe.KERNEL32(0046CCC4,0046CCAC,0046CBE8,00000000,0045E684,00000000), ref: 004056BD
CreatePipe.KERNEL32(0046CCB0,0046CCCC,0046CBE8,00000000), ref: 004056D3
CreateProcessA.KERNEL32 ref: 00405746
Sleep.KERNEL32(0000012C,00000093,?), ref: 004057AD
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004057D5
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004057FE

Part of subcall function 0042EE10: __onexit.LIBCMT ref: 0042EE16

WriteFile.KERNEL32(00000000,00000000,?,00000000,0046B2C8,Function_0005E688,00000062,Function_0005E66C), ref: 004058EC
Sleep.KERNEL32(00000064,00000062,Function_0005E66C), ref: 00405905
TerminateProcess.KERNEL32(00000000), ref: 0040591E
CloseHandle.KERNEL32 ref: 0040592A
CloseHandle.KERNEL32 ref: 00405936
CloseHandle.KERNEL32 ref: 0040594C
CloseHandle.KERNEL32 ref: 00405958

Strings

SystemDrive, xrefs: 00405668
cmd.exe, xrefs: 00405654

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: ecca08401610f3311fb13ccf64266efb2ac83bab2fbc5a605336fce6c77437fd
Instruction ID: f663735627445868b5d40c5be4f8d45465cbe3bb369afd93809fbfee828bf4cd
Opcode Fuzzy Hash: ecca08401610f3311fb13ccf64266efb2ac83bab2fbc5a605336fce6c77437fd
Instruction Fuzzy Hash: E191C1B1A00605ABCB04BBA5AD86D7F3A69EB45714B10407FF445B72E2EFB84D018B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00413EB9, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 155injectionthreadmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413EBE
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,00000000,00000000,00000004), ref: 00413EE2
GetProcAddress.KERNEL32(00000000), ref: 00413EE9
CreateProcessW.KERNEL32 ref: 00413F3E
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00413F56
GetThreadContext.KERNEL32(?,00000000), ref: 00413F6B
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00413F8D
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 00413FB8
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 00413FD5
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00414016
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00414037
SetThreadContext.KERNEL32(?,?), ref: 00414051
ResumeThread.KERNEL32(?), ref: 0041405E

Strings

NtUnmapViewOfSection, xrefs: 00413ED8
ntdll.dll, xrefs: 00413EDD

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtual$AddressCreateH_prologHandleModuleProcReadResume
String ID: NtUnmapViewOfSection$ntdll.dll
API String ID: 65594003-1050664331
Opcode ID: 3185e5b557f20dc272b4a8b2db3a771a6a5ba258ca77b6e81d12f6cfd88ab4f6
Instruction ID: 8bbc8552cc9ee7815f4222388a09e112b1fcc7e11921d2756b39a4d13f099049
Opcode Fuzzy Hash: 3185e5b557f20dc272b4a8b2db3a771a6a5ba258ca77b6e81d12f6cfd88ab4f6
Instruction Fuzzy Hash: 28519271A00605AFDB208F65CD45FABBBB8FF89702F10002AF655E62A1D7B5D850CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A441, Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A4C0
FindClose.KERNEL32(00000000), ref: 0040A4DA
FindNextFileA.KERNEL32(00000000,?), ref: 0040A611
FindClose.KERNEL32(00000000), ref: 0040A637

Strings

[Firefox StoredLogins Cleared!], xrefs: 0040A624
[Firefox StoredLogins not found], xrefs: 0040A4E5
\key3.db, xrefs: 0040A59B
\logins.json, xrefs: 0040A559
UserProfile, xrefs: 0040A471
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A463

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 12b624cfebed4c7611cf6de51434930dff0e62b922a7b886812f536285a1dc8e
Instruction ID: 6c8c1fa78201e48ef2a75ce65be0addc4a9902aefeb2422e6ea19f2f56050379
Opcode Fuzzy Hash: 12b624cfebed4c7611cf6de51434930dff0e62b922a7b886812f536285a1dc8e
Instruction Fuzzy Hash: 8F51843190021A5ACB18F771DC5AEEEB735AF11309F50017FE506B60E2EF7C5A4ACA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A65C, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A6D4
FindClose.KERNEL32(00000000), ref: 0040A6EA
FindNextFileA.KERNEL32(00000000,?), ref: 0040A714
DeleteFileA.KERNEL32(00000000,00000000), ref: 0040A7BC
GetLastError.KERNEL32 ref: 0040A7C6
FindNextFileA.KERNEL32(00000000,00000010), ref: 0040A7DA
FindClose.KERNEL32(00000000), ref: 0040A800
FindClose.KERNEL32(00000000), ref: 0040A821

Strings

\cookies.sqlite, xrefs: 0040A77D
[Firefox cookies found, cleared!], xrefs: 0040A82E
[Firefox Cookies not found], xrefs: 0040A6F5, 0040A7ED
UserProfile, xrefs: 0040A685
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A677

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Find$File$Close$Next$DeleteErrorFirstLast
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 532992503-432212279
Opcode ID: 74036225156026107fe48e824038f745659ddb4551c3e927343a7eec43120134
Instruction ID: b639a81b36797616233973ead6d1d4559acded39002e39b7a9e8bfb3b4aa6e8a
Opcode Fuzzy Hash: 74036225156026107fe48e824038f745659ddb4551c3e927343a7eec43120134
Instruction Fuzzy Hash: 2341A0319002195ACB18BB75CC5ADEEB738AF12305F40417FE506B31D2EF7C9A4A869A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D44C, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 186processsynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,0046B510,0046B570,00000001), ref: 0040D467
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040D48D
Process32FirstW.KERNEL32(00000000,?), ref: 0040D4A8
Process32NextW.KERNEL32(0040CD7B,0000022C), ref: 0040D519
CloseHandle.KERNEL32(0040CD7B,?,00000000,?,?,?), ref: 0040D526
CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj,00000000), ref: 0040D63C
CloseHandle.KERNEL32(00000000), ref: 0040D69E

Part of subcall function 004172C6: OpenProcess.KERNEL32(00000410,00000000,?,00000000,00000000), ref: 004172DB

Strings

Inj, xrefs: 0040D688
Program Files (x86)\, xrefs: 0040D612
Remcos_Mutex_Inj, xrefs: 0040D634
Program Files\, xrefs: 0040D600

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
API String ID: 193334293-694575909
Opcode ID: 689f1af3a217b34abf64cf672377aeb4802151e103c64cb2d272a5f9b5e9efc8
Instruction ID: 6f6d6097da30c9cc5dde5e09d95af3a7f7688091d4f485f0a322e31800747128
Opcode Fuzzy Hash: 689f1af3a217b34abf64cf672377aeb4802151e103c64cb2d272a5f9b5e9efc8
Instruction Fuzzy Hash: A6615F30900209ABCF14EBA1DD569EE7739AF51348F50407FB806771E2EF786E4ACA59

Uniqueness

Uniqueness Score: -1.00%

Function 00415DEF, Relevance: 15.2, APIs: 10, Instructions: 226serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,?,0046AACC,0046B978), ref: 00415E06
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,00415914,?), ref: 00415E4D
GetLastError.KERNEL32(?,0046AACC,0046B978), ref: 00415E5B
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,00415914,?), ref: 00415E8C
OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,004649E4,00000000,004649E4,00000000,004649E4,?,0046AACC,0046B978), ref: 00415F5C

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: EnumOpenServicesStatus$ErrorLastManagerService
String ID:
API String ID: 2247270020-0
Opcode ID: c2530c539ab1680384e6b9eebfa402a9015c224b3c089d05d491bdc6f913c0e8
Instruction ID: 2cf2154eb2f753b845d149a3633e66778fa3899775cd16a2f131ec9506ee59c3
Opcode Fuzzy Hash: c2530c539ab1680384e6b9eebfa402a9015c224b3c089d05d491bdc6f913c0e8
Instruction Fuzzy Hash: A6814C71D00108ABCB14EBA2DD569EFB739EF54304F20406FF512761A1EE786B09CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004173A2, Relevance: 13.6, APIs: 9, Instructions: 147fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,0046B510,00000001), ref: 00417439
FindNextFileW.KERNEL32(00000000,?,?,0046B510,00000001), ref: 00417470
RemoveDirectoryW.KERNEL32(?,?,0046B510,00000001), ref: 004174EA
FindClose.KERNEL32(00000000,?,0046B510,00000001), ref: 00417518
RemoveDirectoryW.KERNEL32(0046B510,?,0046B510,00000001), ref: 00417521
SetFileAttributesW.KERNEL32(?,00000080,?,0046B510,00000001), ref: 0041753E
DeleteFileW.KERNEL32(?,?,0046B510,00000001), ref: 0041754B
GetLastError.KERNEL32(?,0046B510,00000001), ref: 00417573
FindClose.KERNEL32(00000000,?,0046B510,00000001), ref: 00417586

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 71434bb74c239d69f9ed70773db2eb10add558826ff82d600ab3f1fb5e383a6d
Instruction ID: 7f2fb7b55e03c53026806eb35c9268a4200589b2b149351efd9a1e3919e3f3d6
Opcode Fuzzy Hash: 71434bb74c239d69f9ed70773db2eb10add558826ff82d600ab3f1fb5e383a6d
Instruction Fuzzy Hash: B551053554421D8ACF24DFB8C8886FBB7B5BF54304F5041EAE80993651EB798EC6CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00412AAE, Relevance: 13.6, APIs: 9, Instructions: 74clipboardmemoryCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00412AB9
GlobalAlloc.KERNEL32(00002000,00000001), ref: 00412AD7
GlobalLock.KERNEL32 ref: 00412AE2
GlobalUnlock.KERNEL32(?), ref: 00412B11
SetClipboardData.USER32 ref: 00412B1D
GetClipboardData.USER32 ref: 00412B45
GlobalLock.KERNEL32 ref: 00412B4E
GlobalUnlock.KERNEL32(00000000), ref: 00412B57
CloseClipboard.USER32 ref: 00412B5D

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Global$Clipboard$DataLockUnlock$AllocCloseEmpty
String ID:
API String ID: 2999736613-0
Opcode ID: 7d021fb2823ee852f8e625631acb7168212cf74c237156883dbdb6851b0072a2
Instruction ID: 565992631f6b68ffad0b5d02db63d146f0d39cd1da03ecd38eab7e08138890c6
Opcode Fuzzy Hash: 7d021fb2823ee852f8e625631acb7168212cf74c237156883dbdb6851b0072a2
Instruction Fuzzy Hash: 8A21A1316043019BC700BBB5DE499AE7B94AF86706F00443FFA46D21E2EF78C905CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0044171D, Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044179F
_free.LIBCMT ref: 004417C3
_free.LIBCMT ref: 0044194A
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004580EC), ref: 0044195C
WideCharToMultiByte.KERNEL32(00000000,00000000,0046A754,000000FF,00000000,0000003F,00000000,?,?), ref: 004419D4
WideCharToMultiByte.KERNEL32(00000000,00000000,0046A7A8,000000FF,?,0000003F,00000000,?), ref: 00441A01
_free.LIBCMT ref: 00441B16

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 0774941608d6a914c10e8f4d61659dd0c0a82648d8cee12c2c5ba901e3db2784
Instruction ID: d4910f71f08313cd722a7099b19f3c88e7cea30965445af63df8e3bd8de064d1
Opcode Fuzzy Hash: 0774941608d6a914c10e8f4d61659dd0c0a82648d8cee12c2c5ba901e3db2784
Instruction Fuzzy Hash: 5DC12A71A00205ABFB20AF798C41AAB7BB9EF45314F14416FE445A73A1EB788D81CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A323, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A35F
GetLastError.KERNEL32 ref: 0040A369

Strings

[Chrome StoredLogins not found], xrefs: 0040A383
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A32A
[Chrome StoredLogins found, cleared!], xrefs: 0040A38F
UserProfile, xrefs: 0040A32F

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: dbf907cab1a606f992b417811d12213010db0fac4445e8cf19e3e95a91f3b706
Instruction ID: 66f10d9e375c94b106c8096fa88071da4c97a01856142f1d91f9a3186a33621e
Opcode Fuzzy Hash: dbf907cab1a606f992b417811d12213010db0fac4445e8cf19e3e95a91f3b706
Instruction Fuzzy Hash: 3E01F721A8030556C709BA76DD1BCBE3724A912305B90017FFD02732D2ED7D9A19868B

Uniqueness

Uniqueness Score: -1.00%

Function 004136E6, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 004136F3
OpenProcessToken.ADVAPI32(00000000), ref: 004136FA
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041370C
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041372B
GetLastError.KERNEL32 ref: 00413731

Strings

SeShutdownPrivilege, xrefs: 00413706

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 6f73f57e8d0427e0152fba84f6f2374e37d01f21589a8514adc0537bb883d5ac
Instruction ID: 0059e1c4fef34e6d00e865866b4e75e050651fde8715f6eb55a6483fafde533c
Opcode Fuzzy Hash: 6f73f57e8d0427e0152fba84f6f2374e37d01f21589a8514adc0537bb883d5ac
Instruction Fuzzy Hash: 77F0D075802219ABDB109B91DE0DEEF7F7CEF06616F114061BA05A1152D6748B04C6E5

Uniqueness

Uniqueness Score: -1.00%

Function 00407840, Relevance: 9.3, APIs: 6, Instructions: 323fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407845

Part of subcall function 004049C8: connect.WS2_32(?,?,00000010), ref: 004049E3

Part of subcall function 00404A63: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AD6

__CxxThrowException@8.LIBVCRUNTIME ref: 004078F2
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00407950
FindNextFileW.KERNEL32(00000000,?), ref: 004079A8
FindClose.KERNEL32(000000FF), ref: 004079BF

Part of subcall function 00404DC7: closesocket.WS2_32(?), ref: 00404DCD

FindClose.KERNEL32(00000000), ref: 00407BFB

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$Exception@8FirstH_prologNextThrowclosesocketconnectsend
String ID:
API String ID: 2104358809-0
Opcode ID: 4b6234e03790531c9de3da2711aef3564c5c7b9d9b19d6e707b86782aa441d8a
Instruction ID: cc2357671f5ebe8ca050b6611d54c8885cc84ef9d07b9631a39536962bdb1781
Opcode Fuzzy Hash: 4b6234e03790531c9de3da2711aef3564c5c7b9d9b19d6e707b86782aa441d8a
Instruction Fuzzy Hash: 21C18E719042099BCB14FB61CD52AEE7375AF10308F5041BFE906B71E2EB396B49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004160C1, Relevance: 9.0, APIs: 6, Instructions: 42serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,?,00415D47), ref: 004160CD
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00415D47), ref: 004160E1
CloseServiceHandle.ADVAPI32(00000000,?,?,00415D47), ref: 004160EE
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00415D47), ref: 004160F9
CloseServiceHandle.ADVAPI32(00000000,?,?,00415D47), ref: 0041610B
CloseServiceHandle.ADVAPI32(00000000,?,?,00415D47), ref: 0041610E

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 44f912bbfeca5d2050863c7a445d3db70abc7cc6f814e546e19f4f507f224af8
Instruction ID: 48a50272b455f8416dd1486c1ee5c17d72cef524f57b6e95b7c30f7048f7db64
Opcode Fuzzy Hash: 44f912bbfeca5d2050863c7a445d3db70abc7cc6f814e546e19f4f507f224af8
Instruction Fuzzy Hash: 44F090325022287BD2116B31DD89DBF3A6CDA46BA6B01002BFA0592192CEA8CD42D5B9

Uniqueness

Uniqueness Score: -1.00%

Function 004129A1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004136E6: GetCurrentProcess.KERNEL32(00000028,?), ref: 004136F3
Part of subcall function 004136E6: OpenProcessToken.ADVAPI32(00000000), ref: 004136FA
Part of subcall function 004136E6: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041370C
Part of subcall function 004136E6: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041372B
Part of subcall function 004136E6: GetLastError.KERNEL32 ref: 00413731

ExitWindowsEx.USER32 ref: 00412A43
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00412A58
GetProcAddress.KERNEL32(00000000), ref: 00412A5F

Strings

PowrProf.dll, xrefs: 00412A53
SetSuspendState, xrefs: 00412A4E

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: 1852a8fa0616adc4d3a6176f06aa68de8b793aa1f44d3fd1f0ad62f3f1463691
Instruction ID: 20e103079177df50b19dd962f30cf6943222f26e5479ace24327eeca35eaca6e
Opcode Fuzzy Hash: 1852a8fa0616adc4d3a6176f06aa68de8b793aa1f44d3fd1f0ad62f3f1463691
Instruction Fuzzy Hash: 202198707043016BCA14FBF2E9669AF23499F81349F40583FB502A71E3DE7C8C49865E

Uniqueness

Uniqueness Score: -1.00%

Function 004490FD, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044941C,?,00000000), ref: 00449196
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044941C,?,00000000), ref: 004491BF
GetACP.KERNEL32(?,?,0044941C,?,00000000), ref: 004491D4

Strings

OCP, xrefs: 00449151
ACP, xrefs: 0044911B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 5d6c30fc249c5356bdda3edabf507e5a6debc71ffc6635717bba025a399ca38f
Instruction ID: da046e9c4ded9b09651e9dde126887700eba7d1db497b25a904e5e056607dd59
Opcode Fuzzy Hash: 5d6c30fc249c5356bdda3edabf507e5a6debc71ffc6635717bba025a399ca38f
Instruction Fuzzy Hash: 8E21D322A00106AAFB34CF14CD09A9773A6EB99B61B568567E80AD7301E73ADD41E358

Uniqueness

Uniqueness Score: -1.00%

Function 0040D6BD, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 0040D6CB
LoadResource.KERNEL32(00000000,00000000,?,?,00000000,0040D28C,?,?,00000000), ref: 0040D6D6
LockResource.KERNEL32(00000000,?,?,00000000,0040D28C,?,?,00000000), ref: 0040D6DD
SizeofResource.KERNEL32(00000000,00000000,?,?,00000000,0040D28C,?,?,00000000), ref: 0040D6E8

Strings

SETTINGS, xrefs: 0040D6C2

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: fcc5c8a6a3fddb8011069f9424e3a3356320d75afcc403f118f7eaec50d3effc
Instruction ID: 87b043d391f1c897cf0509bc76da618615af2e2337ef59aeb496bbf5e4fa55b5
Opcode Fuzzy Hash: fcc5c8a6a3fddb8011069f9424e3a3356320d75afcc403f118f7eaec50d3effc
Instruction Fuzzy Hash: D6E0EC72742350BBD6601BA16D4DF4B6A68DB86F63F000036F701CA1E1C6F58800C769

Uniqueness

Uniqueness Score: -1.00%

Function 00407CA7, Relevance: 7.7, APIs: 5, Instructions: 245fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407CAC

Part of subcall function 00407544: char_traits.LIBCPMT ref: 0040755F

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 00407D24
FindNextFileW.KERNEL32(00000000,?), ref: 00407D4D
FindClose.KERNEL32(000000FF), ref: 00407D64

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNextchar_traits
String ID:
API String ID: 3260228402-0
Opcode ID: 3e892bc5228eeb3af2b68be48b781723cb9376ad6d0df5ca305434d56b85200f
Instruction ID: 070240a214bec158dc9ea0c649df7a7a0dcba6b410d4b35b5650aa469030124b
Opcode Fuzzy Hash: 3e892bc5228eeb3af2b68be48b781723cb9376ad6d0df5ca305434d56b85200f
Instruction Fuzzy Hash: 94916F329101099BCB15EBA1CC519EE7379AF24348F1441BFE806B71E1EB396F49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004492D1, Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004407A2: GetLastError.KERNEL32(?,00438E18,00434ED5,00438E18,?,?,00436D17,FF8BC35D,?,?), ref: 004407A6
Part of subcall function 004407A2: _free.LIBCMT ref: 004407D9
Part of subcall function 004407A2: SetLastError.KERNEL32(00000000,FF8BC35D,?,?), ref: 0044081A
Part of subcall function 004407A2: _abort.LIBCMT ref: 00440820

Part of subcall function 004407A2: _free.LIBCMT ref: 00440801
Part of subcall function 004407A2: SetLastError.KERNEL32(00000000,FF8BC35D,?,?), ref: 0044080E

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004493DD
IsValidCodePage.KERNEL32(00000000), ref: 00449438
IsValidLocale.KERNEL32(?,00000001), ref: 00449447
GetLocaleInfoW.KERNEL32(?,00001001,0043CFAD,00000040,?,0043D0CD,00000055,00000000,?,?,00000055,00000000), ref: 0044948F
GetLocaleInfoW.KERNEL32(?,00001002,0043D02D,00000040), ref: 004494AE

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: dcfd29795eb682085bde7d2949c4da4c6a7a1cec0aa18ea7475c55543bc624ef
Instruction ID: 91ba770fa4a34b7d7f814d25511e3068a8292f1b568bb588eb65757142717e08
Opcode Fuzzy Hash: dcfd29795eb682085bde7d2949c4da4c6a7a1cec0aa18ea7475c55543bc624ef
Instruction Fuzzy Hash: EE517E71A00205ABFF10DFA6DC81AAF73B8AF09700F04446BF914E7291DBB89D019B69

Uniqueness

Uniqueness Score: -1.00%

Function 00405C45, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 248filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00405D71
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00405E74

Strings

C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 00405DBC, 00405F28
open, xrefs: 00405D6B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Windows\SysWOW64\DpiScaling.exe$open
API String ID: 2825088817-3153102537
Opcode ID: 4bf98849821c2046fe26323cb184fd64b8437d09914851eaef8b04855ef87f03
Instruction ID: 7be6e1cb48896908b4bf8852f262d71b52177677153d603a10d2d9c326f6db40
Opcode Fuzzy Hash: 4bf98849821c2046fe26323cb184fd64b8437d09914851eaef8b04855ef87f03
Instruction Fuzzy Hash: B471D83160430157CA14FB76D8669AF77A59F90748F40093FF842772E3EE3C9A49CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 00448999, Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004407A2: GetLastError.KERNEL32(?,00438E18,00434ED5,00438E18,?,?,00436D17,FF8BC35D,?,?), ref: 004407A6
Part of subcall function 004407A2: _free.LIBCMT ref: 004407D9
Part of subcall function 004407A2: SetLastError.KERNEL32(00000000,FF8BC35D,?,?), ref: 0044081A
Part of subcall function 004407A2: _abort.LIBCMT ref: 00440820

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0043CFB4,?,?,?,?,0043CA0B,?,00000004), ref: 00448A7B
_wcschr.LIBVCRUNTIME ref: 00448B0B
_wcschr.LIBVCRUNTIME ref: 00448B19
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0043CFB4,00000000,0043D0D4), ref: 00448BBC

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 10b822f07d2af7a4840b1fed053237b2088a4002e4115d9a500687b124ddb45e
Instruction ID: 0d78a1f5d65758e8def79a8b0c8a38e45181fa82efacdaf07a707cd23df87bd4
Opcode Fuzzy Hash: 10b822f07d2af7a4840b1fed053237b2088a4002e4115d9a500687b124ddb45e
Instruction Fuzzy Hash: 4761E875600206AAFB24AF25CC46AAF73A8EF04704F14446FFA05D7281EF78ED558769

Uniqueness

Uniqueness Score: -1.00%

Function 00440E7A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0043CA0B,?,00000004), ref: 00440ECD

Strings

GetLocaleInfoEx, xrefs: 00440E95
Z@, xrefs: 00440EB8

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx$Z@
API String ID: 2299586839-3272052422
Opcode ID: 7c8d000429b8e355b90c079a4c1be72d265db8748dfe4df58865c4b66566874d
Instruction ID: 1221e39d2fda7ee48bc55b78ac7e0f45c169fb21b794b60c238f2c857ecd19a6
Opcode Fuzzy Hash: 7c8d000429b8e355b90c079a4c1be72d265db8748dfe4df58865c4b66566874d
Instruction Fuzzy Hash: 08F0C231640318BBDF116F61DC02F6F7B65EF04B02F51006EFD05262A2CAB98E24969D

Uniqueness

Uniqueness Score: -1.00%

Function 00448D84, Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 004407A2: GetLastError.KERNEL32(?,00438E18,00434ED5,00438E18,?,?,00436D17,FF8BC35D,?,?), ref: 004407A6
Part of subcall function 004407A2: _free.LIBCMT ref: 004407D9
Part of subcall function 004407A2: SetLastError.KERNEL32(00000000,FF8BC35D,?,?), ref: 0044081A
Part of subcall function 004407A2: _abort.LIBCMT ref: 00440820

Part of subcall function 004407A2: _free.LIBCMT ref: 00440801
Part of subcall function 004407A2: SetLastError.KERNEL32(00000000,FF8BC35D,?,?), ref: 0044080E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00448DD8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00448E29
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00448EE9

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: 0382fecb1f7298956d05bc9d74fe177540f771d288726fe30c7888bb8f99e386
Instruction ID: bca93f28c27ec6bb4c47567277e21ea13a04f5fb11191e5da2365a683ef16b4b
Opcode Fuzzy Hash: 0382fecb1f7298956d05bc9d74fe177540f771d288726fe30c7888bb8f99e386
Instruction Fuzzy Hash: 0C6190715006079BFB289F24CC82BBEB7A9EF54304F2040BEE905C6681EB79DD95DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00436123, Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0043621B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00436225
UnhandledExceptionFilter.KERNEL32(?), ref: 00436232

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 31e4a78466b8f2968367c4b85d8854ba845cee76d958ddc53876169187cba58a
Instruction ID: 164677dc342c69cec945bbd217d003c8cee4120f2e7e8da75403c2a5c328be94
Opcode Fuzzy Hash: 31e4a78466b8f2968367c4b85d8854ba845cee76d958ddc53876169187cba58a
Instruction Fuzzy Hash: 7C31F67490122DABCB21DF24DD88B9DB7B8BF08310F5041EAE80CA7261E7749F858F48

Uniqueness

Uniqueness Score: -1.00%

Function 00408826, Relevance: 4.6, APIs: 3, Instructions: 63keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 0040887D
GetKeyState.USER32 ref: 00408886
CallNextHookEx.USER32 ref: 004088C3

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: State$CallHookNext
String ID:
API String ID: 3691737146-0
Opcode ID: e837d54517a6fb7d3fc7a82fa008ec5ea68b8d506432ac8cb5715109d08e30b0
Instruction ID: 1a06aa242e826c740a6184c532c47c4b6408ab6211e5fb4f8f25bcf18b2b9d9e
Opcode Fuzzy Hash: e837d54517a6fb7d3fc7a82fa008ec5ea68b8d506432ac8cb5715109d08e30b0
Instruction Fuzzy Hash: 6411B233500205AAEF15BB798985B6A3B559F85310F84807FF9813A2D7CEBC9C4187AA

Uniqueness

Uniqueness Score: -1.00%

Function 0043B809, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0043E44B,?,0043B7DF,0043E44B,00467150,0000000C,0043B8F2,0043E44B,00000002,00000000,?,0043E44B), ref: 0043B82A
TerminateProcess.KERNEL32(00000000,?,0043B7DF,0043E44B,00467150,0000000C,0043B8F2,0043E44B,00000002,00000000,?,0043E44B), ref: 0043B831
ExitProcess.KERNEL32 ref: 0043B843

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 76c9d7a820b448a9a3845adb15788c02d4d33362215718732ee81f4a8b48c5bb
Instruction ID: 1c7d6bb3779525f1e66094fe83db0f966e5124d15fc9b56dd8de18fa1c63e4e8
Opcode Fuzzy Hash: 76c9d7a820b448a9a3845adb15788c02d4d33362215718732ee81f4a8b48c5bb
Instruction Fuzzy Hash: 70E0463A001308AFCF057F54CE09E493B29FB45386F009066FA098A232CB79DD42CA88

Uniqueness

Uniqueness Score: -1.00%

Function 004454B9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0044564C

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 42469c5fcc8ed950a107efc8d8a90afb6e8309f5a62d0cb9dc8b705de6fc84d4
Instruction ID: df6dd1fd19e9d3f814067f0927b03ea628df59000b6a77ab7f3e69be91aca374
Opcode Fuzzy Hash: 42469c5fcc8ed950a107efc8d8a90afb6e8309f5a62d0cb9dc8b705de6fc84d4
Instruction Fuzzy Hash: 1A312471800218BBEF249E79CC84EFB7BBEDB85304F0401AAF818D7252E6789D408B54

Uniqueness

Uniqueness Score: -1.00%

Function 0041513C, Relevance: 3.2, APIs: 2, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00415392
FindNextFileW.KERNEL32(00000000,?,?), ref: 0041545E

Part of subcall function 00407544: char_traits.LIBCPMT ref: 0040755F

Part of subcall function 0041762A: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,00413490), ref: 00417647

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNextchar_traits
String ID:
API String ID: 3100282071-0
Opcode ID: 3af3a47d788157dbcee27a2c6b5c876115a12dbc08200462fe788251695b1a6b
Instruction ID: 415430a57af6843ad216539af0c7b8f22628056325bc9e9ead5e33eb0cba95ad
Opcode Fuzzy Hash: 3af3a47d788157dbcee27a2c6b5c876115a12dbc08200462fe788251695b1a6b
Instruction Fuzzy Hash: 148172715083419AC314FB22C856EEF73A8AF91348F40453FF556A71E2EF3C9A49C69A

Uniqueness

Uniqueness Score: -1.00%

Function 004061D5, Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,0046B230), ref: 004061F0
FindNextFileW.KERNEL32(00000000,?,?), ref: 004062B0

Part of subcall function 00404A63: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AD6

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID:
API String ID: 4113138495-0
Opcode ID: 39557b44929d59f4b352159b9b410c03c576ec511b26d1a6b77701e7aeffbc4a
Instruction ID: 7e20ef7ed534c7a2ebc3e82f7010632c71f3460c1666959884f7e1c2c5d26e3f
Opcode Fuzzy Hash: 39557b44929d59f4b352159b9b410c03c576ec511b26d1a6b77701e7aeffbc4a
Instruction Fuzzy Hash: 982173719001096ACB04FBA1DC96DEE7738AF51304F40027FF506B71D1EF385A498A99

Uniqueness

Uniqueness Score: -1.00%

Function 0042F326, Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 0042F33F

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 4429e27c3b69c390383162b7039e70f07cccfb1a1ef950d39ddb8e5e7ca778a2
Instruction ID: 6565cddf24b1368cd7dc6c92ffee754d868cfef3d7483c276099f413a056c791
Opcode Fuzzy Hash: 4429e27c3b69c390383162b7039e70f07cccfb1a1ef950d39ddb8e5e7ca778a2
Instruction Fuzzy Hash: AB416DB2A002159BDB14CFA9E88576ABBF8FB08314F50853BD815E7350E3F89954CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00448FD4, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 004407A2: GetLastError.KERNEL32(?,00438E18,00434ED5,00438E18,?,?,00436D17,FF8BC35D,?,?), ref: 004407A6
Part of subcall function 004407A2: _free.LIBCMT ref: 004407D9
Part of subcall function 004407A2: SetLastError.KERNEL32(00000000,FF8BC35D,?,?), ref: 0044081A
Part of subcall function 004407A2: _abort.LIBCMT ref: 00440820

Part of subcall function 004407A2: _free.LIBCMT ref: 00440801
Part of subcall function 004407A2: SetLastError.KERNEL32(00000000,FF8BC35D,?,?), ref: 0044080E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00449028

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: bfb43e1acf6931fc4b08d6823fffbae97daaaeb67d42accd8cbb20e706e811e9
Instruction ID: 2caed2ed98f0061b0d8487d8bb96058399d77436accdb35a7e18e4eb67240fb6
Opcode Fuzzy Hash: bfb43e1acf6931fc4b08d6823fffbae97daaaeb67d42accd8cbb20e706e811e9
Instruction Fuzzy Hash: 8E21D332600206ABEB249E25CC41B7B73A8EB40314F10017FEA01C6242EB799D45DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00448C5C, Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004407A2: GetLastError.KERNEL32(?,00438E18,00434ED5,00438E18,?,?,00436D17,FF8BC35D,?,?), ref: 004407A6
Part of subcall function 004407A2: _free.LIBCMT ref: 004407D9
Part of subcall function 004407A2: SetLastError.KERNEL32(00000000,FF8BC35D,?,?), ref: 0044081A
Part of subcall function 004407A2: _abort.LIBCMT ref: 00440820

EnumSystemLocalesW.KERNEL32(00448D84,00000001,00000000,?,0043CFAD,?,004493B1,00000000,?,?,?), ref: 00448CCE

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 23269c43b2b41064a3c04dc26a19b0271ea74a36c3a7ffc9c01d05f9df07a5a5
Instruction ID: f1be4d7ed255d17d72090a14792cc3a6cca71aeb8908c04703445887aa6abde4
Opcode Fuzzy Hash: 23269c43b2b41064a3c04dc26a19b0271ea74a36c3a7ffc9c01d05f9df07a5a5
Instruction Fuzzy Hash: 4811063A6007055FEB189F39C89157BB791FF80318B18442EEA8647B40D775A902CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00449204, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 004407A2: GetLastError.KERNEL32(?,00438E18,00434ED5,00438E18,?,?,00436D17,FF8BC35D,?,?), ref: 004407A6
Part of subcall function 004407A2: _free.LIBCMT ref: 004407D9
Part of subcall function 004407A2: SetLastError.KERNEL32(00000000,FF8BC35D,?,?), ref: 0044081A
Part of subcall function 004407A2: _abort.LIBCMT ref: 00440820

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00448FA2,00000000,00000000,?), ref: 00449230

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 27a7085096359c0aea7dfc8e09e8cc03cf692836479549258a36d45523000964
Instruction ID: 597b6b44b7d2c048843e36ef0d4fb2179b15d955f5f7be562b5dd76c5cc0d33b
Opcode Fuzzy Hash: 27a7085096359c0aea7dfc8e09e8cc03cf692836479549258a36d45523000964
Instruction Fuzzy Hash: 08F0F936A142157FEB245A6588097BB775CFB40714F1408ABED05A3640EAB8BD01D6D5

Uniqueness

Uniqueness Score: -1.00%

Function 00448CF7, Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004407A2: GetLastError.KERNEL32(?,00438E18,00434ED5,00438E18,?,?,00436D17,FF8BC35D,?,?), ref: 004407A6
Part of subcall function 004407A2: _free.LIBCMT ref: 004407D9
Part of subcall function 004407A2: SetLastError.KERNEL32(00000000,FF8BC35D,?,?), ref: 0044081A
Part of subcall function 004407A2: _abort.LIBCMT ref: 00440820

EnumSystemLocalesW.KERNEL32(00448FD4,00000001,?,?,0043CFAD,?,00449375,0043CFAD,?,?,?,?,?,0043CFAD,?,?), ref: 00448D43

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 8d464122e9bf18685a4e01e9be4ed80639061091200b1a99b6adf5079c801292
Instruction ID: bb4b4cbbb48ccd4d3bec5e0ca0aaeb501e109e0b73feb33659830a507acce906
Opcode Fuzzy Hash: 8d464122e9bf18685a4e01e9be4ed80639061091200b1a99b6adf5079c801292
Instruction Fuzzy Hash: F6F028767003041FEB145F398C8166B7B95EF81358B14442EFA4587691DBB59C018A44

Uniqueness

Uniqueness Score: -1.00%

Function 00440991, Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043DB9D: EnterCriticalSection.KERNEL32(-0046A510,?,0043B52F,00000000,00467130,0000000C,0043B4EA,00000000,?,?,0043DE3B,00000000,?,00440857,00000001,00000364), ref: 0043DBAC

EnumSystemLocalesW.KERNEL32(0044094B,00000001,004672D8,0000000C), ref: 004409C9

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 838aa6304220a86a7fe94eb6670f766574592b96fa3d1985fc4fc5ae3d3effc1
Instruction ID: ad5a74656581bc7c57e90bc8771b6e7009cbe9780442b46360e439724374a2a7
Opcode Fuzzy Hash: 838aa6304220a86a7fe94eb6670f766574592b96fa3d1985fc4fc5ae3d3effc1
Instruction Fuzzy Hash: 22F04472610204EFEB00EF69E846B5D77F0EB08729F10816BF510DB1A2D7B999508F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00448C11, Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004407A2: GetLastError.KERNEL32(?,00438E18,00434ED5,00438E18,?,?,00436D17,FF8BC35D,?,?), ref: 004407A6
Part of subcall function 004407A2: _free.LIBCMT ref: 004407D9
Part of subcall function 004407A2: SetLastError.KERNEL32(00000000,FF8BC35D,?,?), ref: 0044081A
Part of subcall function 004407A2: _abort.LIBCMT ref: 00440820

EnumSystemLocalesW.KERNEL32(00448B68,00000001,?,?,?,004493D3,0043CFAD,?,?,?,?,?,0043CFAD,?,?,?), ref: 00448C48

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 1ae2cd36b88da9a2926d601caa8ed78466f554086bab381f27b3972ec7077a61
Instruction ID: 339e5d5696f1f8f4567ebc2ca07d48cfe9afe102aa7fcbe8784f25cd06269a12
Opcode Fuzzy Hash: 1ae2cd36b88da9a2926d601caa8ed78466f554086bab381f27b3972ec7077a61
Instruction Fuzzy Hash: 0FF05C3A3002045BDB049F35C84566FBF50EFC2710F06405EEB058B281C7759842C754

Uniqueness

Uniqueness Score: -1.00%

Function 0040D824, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00411BBD,0046B230,0046B5AC,0046B230,00000000,0046B230,00000000,0046B230,3.1.2 Pro), ref: 0040D838

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ff8beae2c29f8601f1d9a24f90001d48ee40be6b48077d909584f10b3c7080f1
Instruction ID: 96c73a57316dee046c2c045e2eff211b88fe526610a4c69ab00377d604caa1bd
Opcode Fuzzy Hash: ff8beae2c29f8601f1d9a24f90001d48ee40be6b48077d909584f10b3c7080f1
Instruction Fuzzy Hash: 33D05B7074131CB7D914D6959D0EEAA779CD701B52F0001A6BB04E72C0D9E15E00C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0044680E, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0044680E

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 402226844a25ed0ccd1962e481d12894c56aac7d7613bdd422f2ee7af18a3609
Instruction ID: 5ba0c33bf86985cc8a65cddc3594053c55753a432b63fc4a05055fe391c87f78
Opcode Fuzzy Hash: 402226844a25ed0ccd1962e481d12894c56aac7d7613bdd422f2ee7af18a3609
Instruction Fuzzy Hash: 8AA01130200B008B83008F32AB0820E3AA8AA0A282300803AA000C0A20EAB088A0CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4F9, Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 280registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE25: TerminateProcess.KERNEL32(00000000,0046B4F8,0040D81B), ref: 0040FE35
Part of subcall function 0040FE25: WaitForSingleObject.KERNEL32(000000FF), ref: 0040FE48

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B5F2
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040B605
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040B61D
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040B64B

Part of subcall function 00409EB9: TerminateThread.KERNEL32(00408785,00000000,0046B4F8,0040B1BA,?,0046B510,0046B4F8), ref: 00409EC8
Part of subcall function 00409EB9: UnhookWindowsHookEx.USER32(00350303), ref: 00409ED8
Part of subcall function 00409EB9: TerminateThread.KERNEL32(0040876A,00000000,?,0046B510,0046B4F8), ref: 00409EEA

Part of subcall function 00417595: CreateFileW.KERNELBASE(00412EFD,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000000,00000000,?,004176BF,00000000,00000000), ref: 004175D4

ShellExecuteW.SHELL32(00000000,open,00000000,00464A1C,00464A1C,00000000), ref: 0040B86E
ExitProcess.KERNEL32 ref: 0040B87A

Strings

\update.vbs, xrefs: 0040B64D
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040B547
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B822
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B7BA
wend, xrefs: 0040B744
exepath, xrefs: 0040B5CD
Temp, xrefs: 0040B652
fso.DeleteFile ", xrefs: 0040B6FC
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040B679
while fso.FileExists(", xrefs: 0040B6B6
"), xrefs: 0040B6A1
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040B596
sdghbq, xrefs: 0040B542
""", 0, xrefs: 0040B7A5
fso.DeleteFolder ", xrefs: 0040B76E
On Error Resume Next, xrefs: 0040B687
open, xrefs: 0040B868

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$sdghbq$wend$while fso.FileExists("
API String ID: 1861856835-2999049315
Opcode ID: 78772513a34172ee7933ce952b11dce6834a3023f8c7326f2db1c493a6611380
Instruction ID: f6b223ffaa8520aacf872ac80ff8c8108c9dc7ada6db8bb60164abeef578d9a9
Opcode Fuzzy Hash: 78772513a34172ee7933ce952b11dce6834a3023f8c7326f2db1c493a6611380
Instruction Fuzzy Hash: 5F917F71A101186ACB14F7A2DC52AEE7769AF50349F14007FB806731E3EF785E4AC69E

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA5F, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 181synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,Mutex_RemWatchdog,0046B570,0046B510,00000000), ref: 0040FA78
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040FA8B

Part of subcall function 00410767: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,0046B510), ref: 00410783
Part of subcall function 00410767: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041079C
Part of subcall function 00410767: RegCloseKey.KERNELBASE(00000000), ref: 004107A7

ExitProcess.KERNEL32 ref: 0040FAD2
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0040FAFB
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040FB06
CloseHandle.KERNEL32(00000000), ref: 0040FB0D
GetCurrentProcessId.KERNEL32 ref: 0040FB13
PathFileExistsW.SHLWAPI(?), ref: 0040FB44
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040FC13
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0040FC69
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040FC74
CloseHandle.KERNEL32(00000000), ref: 0040FC7B
GetCurrentProcessId.KERNEL32 ref: 0040FC81

Strings

exepath, xrefs: 0040FAB7
WDH, xrefs: 0040FB1A, 0040FC88
Mutex_RemWatchdog, xrefs: 0040FA6B
.exe, xrefs: 0040FBC7
temp_, xrefs: 0040FBB5
open, xrefs: 0040FC0D

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Process$CloseOpen$CurrentFileHandleObjectSingleWait$CreateExecuteExistsExitModuleMutexNamePathQueryShellValue
String ID: .exe$Mutex_RemWatchdog$WDH$exepath$open$temp_
API String ID: 2645874385-232273909
Opcode ID: fccea3e2ac65babf347ab9bca9dcc1b0addb0663df9f697dc6b0aa87aca88293
Instruction ID: 46d735b8f568c69b2ce4b96e95c11f6b596c0ea87293e1d9bb3093289d4a8b8b
Opcode Fuzzy Hash: fccea3e2ac65babf347ab9bca9dcc1b0addb0663df9f697dc6b0aa87aca88293
Instruction Fuzzy Hash: 3651A871A003097BDB10B7709D49EEE336DAB05755F10407BB902A71E2EFBC9E898A5D

Uniqueness

Uniqueness Score: -1.00%

Function 004166D2, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 185synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004167B7
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 004167CB
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,0045E66C), ref: 004167F0
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 00416806
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00416847
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041685F
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00416873
SetEvent.KERNEL32 ref: 00416894
WaitForSingleObject.KERNEL32(000001F4), ref: 004168A5
CloseHandle.KERNEL32 ref: 004168B5
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 004168D7
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 004168E1

Strings

stop audio, xrefs: 004168D2
play audio, xrefs: 004167C6
" type , xrefs: 00416759
alias audio, xrefs: 00416741
close audio, xrefs: 004168DC
open ", xrefs: 00416754
resume audio, xrefs: 0041685A
stopped, xrefs: 00416878
pause audio, xrefs: 00416842
status audio mode, xrefs: 0041686E

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-1354618412
Opcode ID: 96c29d7b44177c73af881e8594c88207bc08fc27066c2e93d93e2db4a18861c0
Instruction ID: d8989cec65c380bf0f9048d047e07166de3970e700af9e5074a669739b680866
Opcode Fuzzy Hash: 96c29d7b44177c73af881e8594c88207bc08fc27066c2e93d93e2db4a18861c0
Instruction Fuzzy Hash: 7951C6716402087ADB14B7B6DC96DBE3A2CDF91349F50003FF505661D2EE788D45CAAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B19B, Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 259registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FE25: TerminateProcess.KERNEL32(00000000,0046B4F8,0040D81B), ref: 0040FE35
Part of subcall function 0040FE25: WaitForSingleObject.KERNEL32(000000FF), ref: 0040FE48

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,0046B510,0046B4F8), ref: 0040B2A5
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040B2B8
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,?,0046B510,0046B4F8), ref: 0040B2E6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,0046B510,0046B4F8), ref: 0040B2F4

Part of subcall function 00409EB9: TerminateThread.KERNEL32(00408785,00000000,0046B4F8,0040B1BA,?,0046B510,0046B4F8), ref: 00409EC8
Part of subcall function 00409EB9: UnhookWindowsHookEx.USER32(00350303), ref: 00409ED8
Part of subcall function 00409EB9: TerminateThread.KERNEL32(0040876A,00000000,?,0046B510,0046B4F8), ref: 00409EEA

ShellExecuteW.SHELL32(00000000,open,00000000,00464A1C,00464A1C,00000000), ref: 0040B4EB
ExitProcess.KERNEL32 ref: 0040B4F2

Strings

Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040B1E9
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B49F
wend, xrefs: 0040B443
exepath, xrefs: 0040B282
.vbs, xrefs: 0040B2FD
Temp, xrefs: 0040B33D
fso.DeleteFile ", xrefs: 0040B3FB
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040B377
while fso.FileExists(", xrefs: 0040B3B5
"), xrefs: 0040B3A0
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040B238
sdghbq, xrefs: 0040B1E4
fso.DeleteFolder ", xrefs: 0040B46D
On Error Resume Next, xrefs: 0040B385
open, xrefs: 0040B4E5

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: FileTerminate$AttributesProcessThread$DeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$sdghbq$wend$while fso.FileExists("
API String ID: 3659626935-1504589134
Opcode ID: 604c3d72c3a0a4e7bf5f34748d62497d0d9e342af2275faa81f0c344a7543cf9
Instruction ID: 233b1ac22399a6b58fade96047edf2e74989bafc185b9b778e5e9585ca172280
Opcode Fuzzy Hash: 604c3d72c3a0a4e7bf5f34748d62497d0d9e342af2275faa81f0c344a7543cf9
Instruction Fuzzy Hash: AE818D71A101046ACB18F7A2DC669EE77699F50309F14007FB806771E3EE785E8AC69E

Uniqueness

Uniqueness Score: -1.00%

Function 00401A44, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 155fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AAC
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AD3
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AE2
WriteFile.KERNEL32(00000000,WAVE,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AF2
WriteFile.KERNEL32(00000000,fmt ,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B02
WriteFile.KERNEL32(00000000,00000010,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B11
WriteFile.KERNEL32(00000000,00000001,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B20
WriteFile.KERNEL32(00000000,0046AA9A,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B30
WriteFile.KERNEL32(00000000,0046AA9C,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B40
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B4F
WriteFile.KERNEL32(00000000,?,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B5E
WriteFile.KERNEL32(00000000,0046AAA6,00000002,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B6E
WriteFile.KERNEL32(00000000,data,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B7E
WriteFile.KERNEL32(00000000,?,00000004,?,00000000,?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401B8D

Strings

WAVE, xrefs: 00401AEC
data, xrefs: 00401B78
fmt , xrefs: 00401AFC
RIFF, xrefs: 00401ACD

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: b0c84a260ba8654904733b59c52d508d7a05a498c8cd30f10abbda8bdf4a9849
Instruction ID: b2fb40b394cc56fbc8cc1b045ac6ef303d36d84518ed683669f5187c7c8de3e3
Opcode Fuzzy Hash: b0c84a260ba8654904733b59c52d508d7a05a498c8cd30f10abbda8bdf4a9849
Instruction Fuzzy Hash: 0C412AB5A50218BAE710DA918D86FFF7ABCEB45B10F500056BB04EA0C0D7B45A05DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD9E, Relevance: 33.6, APIs: 7, Strings: 12, Instructions: 324fileCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040ADD6
CopyFileW.KERNEL32(C:\Windows\SysWOW64\DpiScaling.exe,00000000,00000000,00000000), ref: 0040AEA2
CopyFileW.KERNEL32(C:\Windows\SysWOW64\DpiScaling.exe,00000000,00000000,00000000), ref: 0040AF40

Part of subcall function 00417CAD: GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 00417E04

SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040AF82
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040AFA7
ShellExecuteW.SHELL32(00000000,open,00000000,00464A1C,00464A1C,00000000), ref: 0040B172
ExitProcess.KERNEL32 ref: 0040B17E

Strings

6, xrefs: 0040AEB0
Temp, xrefs: 0040AFAE
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B11F
\install.vbs, xrefs: 0040AFA9
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B0AE
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040AFE2
C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 0040AE42, 0040AE9D, 0040AF3A, 0040AF3F, 0040AF4A, 0040B00B
sdghbq, xrefs: 0040AE7A, 0040AF59
WScript.Sleep 1000, xrefs: 0040AFD5
""", 0, xrefs: 0040B09F
fso.DeleteFile , xrefs: 0040B017
open, xrefs: 0040B16C

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: File$AttributesCopy$CreateDirectoryExecuteExitLongNamePathProcessShell
String ID: """, 0$6$C:\Windows\SysWOW64\DpiScaling.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$sdghbq
API String ID: 4018752923-1296834755
Opcode ID: f93aa535fd5213b7c389b1236d83b0f232863512a973419f7937c3f6c023b5f0
Instruction ID: 4b970a9c2f25de4ebdb8e0d04868a8c3d3e12f663cd647de27ec6931954a6400
Opcode Fuzzy Hash: f93aa535fd5213b7c389b1236d83b0f232863512a973419f7937c3f6c023b5f0
Instruction Fuzzy Hash: 7AA183716001049ACB18FB66CC92AEE7369AF50349F54407FF806B71D2EE7C5E4AC69E

Uniqueness

Uniqueness Score: -1.00%

Function 004460EE, Relevance: 27.4, APIs: 18, Instructions: 419COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00446115
_free.LIBCMT ref: 00446180
_free.LIBCMT ref: 004461A6
_free.LIBCMT ref: 004461CF
_free.LIBCMT ref: 00446207
_free.LIBCMT ref: 00446238
_free.LIBCMT ref: 00446279
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 004462FA
_free.LIBCMT ref: 00446313
_wcschr.LIBVCRUNTIME ref: 00446350
_free.LIBCMT ref: 004463BC
_free.LIBCMT ref: 004463E2
_free.LIBCMT ref: 0044640B
_free.LIBCMT ref: 00446440
_free.LIBCMT ref: 00446471
_free.LIBCMT ref: 004464B2
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00446537
_free.LIBCMT ref: 00446550

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$___from_strstr_to_strchr_wcschr
String ID:
API String ID: 2719235668-0
Opcode ID: 329e9aebca95e8b2e73b90070fa98053ccbc9c761f1af1e9375e826d113898a6
Instruction ID: 295b3d73a96362efb55f12b4f60839b5c71cd5902b5c5da615b5fc48736f1ed3
Opcode Fuzzy Hash: 329e9aebca95e8b2e73b90070fa98053ccbc9c761f1af1e9375e826d113898a6
Instruction Fuzzy Hash: 03D128719007416FEB20BF759C4666F7BA4AF06354F06016FE905A7382EA7D99008B9F

Uniqueness

Uniqueness Score: -1.00%

Function 004064B4, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 345fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004049C8: connect.WS2_32(?,?,00000010), ref: 004049E3

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004064FF
GetFileSizeEx.KERNEL32(00000000,?), ref: 00406536
__aulldiv.LIBCMT ref: 004065B8
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,000186A0,00000000), ref: 00406626
ReadFile.KERNEL32(00000000,?,000186A0,?,00000000), ref: 00406641

Part of subcall function 00404A63: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AD6

Part of subcall function 00404DC7: closesocket.WS2_32(?), ref: 00404DCD

Strings

[Info], xrefs: 0040657C
[ERROR], xrefs: 00406900
Uploading file to Controller: , xrefs: 0040656A
SetFilePointerEx error, xrefs: 004068F1
ReadFile error, xrefs: 004068E5

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: File$CreatePointerReadSize__aulldivclosesocketconnectsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $[ERROR]$[Info]
API String ID: 1319223106-2190262076
Opcode ID: 00087972c1bbcccad9f459b7f93b23dd95b2f1d3e3cedbaf7aeb8ff3de30830a
Instruction ID: e8f60d29dde9b62ef4089529583d692e953e939839658a7192b42a52e5610b8b
Opcode Fuzzy Hash: 00087972c1bbcccad9f459b7f93b23dd95b2f1d3e3cedbaf7aeb8ff3de30830a
Instruction Fuzzy Hash: B1C17771E00209ABCB08FB65DD829EEB775AF45304F5041BFF406B72E1EB385A858B59

Uniqueness

Uniqueness Score: -1.00%

Function 004187E7, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 00418832
GetCursorPos.USER32(?), ref: 00418841
SetForegroundWindow.USER32(?), ref: 0041884A
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00418864
Shell_NotifyIconA.SHELL32(00000002,0046AEB8), ref: 004188B5
ExitProcess.KERNEL32 ref: 004188BD
CreatePopupMenu.USER32 ref: 004188C3
AppendMenuA.USER32 ref: 004188D8

Strings

Close, xrefs: 004188C9

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: ae216f356828b11208874669a1da58d774a7fac8c60ea64ab47b47ae48bd8605
Instruction ID: 39e2af18bf948902aca61eb325c4ffec799d02a7e8dd3f448e1207af9c11930e
Opcode Fuzzy Hash: ae216f356828b11208874669a1da58d774a7fac8c60ea64ab47b47ae48bd8605
Instruction Fuzzy Hash: BE211031140209AFDB096F64EF0DAAA3F65FB05302F44413AF905A01B1DBFAD960DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 0043E06B, Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043E0DB
_free.LIBCMT ref: 0043E0F1
_free.LIBCMT ref: 0043E102
_free.LIBCMT ref: 0043E113
_free.LIBCMT ref: 0043E12A
GetCPInfo.KERNEL32(?,?), ref: 0043E172

Part of subcall function 0044A0C1: _free.LIBCMT ref: 0044A12C

_free.LIBCMT ref: 0043E31E
_free.LIBCMT ref: 0043E331
_free.LIBCMT ref: 0043E33F
_free.LIBCMT ref: 0043E34A
_free.LIBCMT ref: 0043E38C
_free.LIBCMT ref: 0043E394
_free.LIBCMT ref: 0043E39C
_free.LIBCMT ref: 0043E3A4
_free.LIBCMT ref: 0043E3B2

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 90ebe6f9ef33dee416cebc3521aa596745b382fc146f5061b59aee63aa999f41
Instruction ID: 294d59eeae8d04abf68c5d094c53a626261cc5768f990b41fbea2d3fff7759f7
Opcode Fuzzy Hash: 90ebe6f9ef33dee416cebc3521aa596745b382fc146f5061b59aee63aa999f41
Instruction Fuzzy Hash: DAB1BE719012059EDB109FAAC881BEFBBF9BF0C304F14506EF859A7382D779A8458B64

Uniqueness

Uniqueness Score: -1.00%

Function 00417857, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 212registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 00417879
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00417B2D
RegCloseKey.ADVAPI32(?), ref: 00417B41

Strings

InstallDate, xrefs: 0041793C
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041786D
DisplayName, xrefs: 004178ED
DisplayVersion, xrefs: 00417915
InstallLocation, xrefs: 0041792A
Publisher, xrefs: 00417900
UninstallString, xrefs: 0041794E

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 715f645f3d4e8edd574708c3705f992be1a7761b1654118ec47f440051e0f834
Instruction ID: 2d1d1dea83c617406901002386b47fa735698a54a6bb9c0662f5094861d3a369
Opcode Fuzzy Hash: 715f645f3d4e8edd574708c3705f992be1a7761b1654118ec47f440051e0f834
Instruction Fuzzy Hash: C8813F719001189BDB14EB61DD52AEEB379EF54304F1041AFB90672192EF346F85CE69

Uniqueness

Uniqueness Score: -1.00%

Function 00447F87, Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00447FCB

Part of subcall function 004471C3: _free.LIBCMT ref: 004471E0
Part of subcall function 004471C3: _free.LIBCMT ref: 004471F2
Part of subcall function 004471C3: _free.LIBCMT ref: 00447204
Part of subcall function 004471C3: _free.LIBCMT ref: 00447216
Part of subcall function 004471C3: _free.LIBCMT ref: 00447228
Part of subcall function 004471C3: _free.LIBCMT ref: 0044723A
Part of subcall function 004471C3: _free.LIBCMT ref: 0044724C
Part of subcall function 004471C3: _free.LIBCMT ref: 0044725E
Part of subcall function 004471C3: _free.LIBCMT ref: 00447270
Part of subcall function 004471C3: _free.LIBCMT ref: 00447282
Part of subcall function 004471C3: _free.LIBCMT ref: 00447294
Part of subcall function 004471C3: _free.LIBCMT ref: 004472A6
Part of subcall function 004471C3: _free.LIBCMT ref: 004472B8

_free.LIBCMT ref: 00447FC0

Part of subcall function 0043ECB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00447930,00000000,00000000,00000000,00000000,?,00447BD4,00000000,00000007,00000000,?,0044811F,00000000), ref: 0043ECCB
Part of subcall function 0043ECB5: GetLastError.KERNEL32(00000000,?,00447930,00000000,00000000,00000000,00000000,?,00447BD4,00000000,00000007,00000000,?,0044811F,00000000,00000000), ref: 0043ECDD

_free.LIBCMT ref: 00447FE2
_free.LIBCMT ref: 00447FF7
_free.LIBCMT ref: 00448002
_free.LIBCMT ref: 00448024
_free.LIBCMT ref: 00448037
_free.LIBCMT ref: 00448045
_free.LIBCMT ref: 00448050
_free.LIBCMT ref: 00448088
_free.LIBCMT ref: 0044808F
_free.LIBCMT ref: 004480AC
_free.LIBCMT ref: 004480C4

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1df3688d6c9b97f8f946041ed70f3f702118965e3b111304231ee4d35afd2ced
Instruction ID: 8c38c27da987b7a635d5bebd97d7f1256e324184c0a4d0d04fd6cf574e8e9e51
Opcode Fuzzy Hash: 1df3688d6c9b97f8f946041ed70f3f702118965e3b111304231ee4d35afd2ced
Instruction Fuzzy Hash: 5E317C316042019FFB31AB7AD905B5F73E9AF04314F11681FE45AD7292EF39AC888B18

Uniqueness

Uniqueness Score: -1.00%

Function 004472C1, Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00447309
_free.LIBCMT ref: 0044732D
_free.LIBCMT ref: 0044733A
_free.LIBCMT ref: 0044735F
_free.LIBCMT ref: 0044736C
_free.LIBCMT ref: 00447375
_free.LIBCMT ref: 00447653
_free.LIBCMT ref: 0044765B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 00f19464545b9ea9b3523f3c803e12fc6435e99e3f3afee177e1a55b6748d8ac
Instruction ID: d281fa1f8646a1697afc93f14510cb2b4bcb9fcf22eaff47e093c2dd356bf65b
Opcode Fuzzy Hash: 00f19464545b9ea9b3523f3c803e12fc6435e99e3f3afee177e1a55b6748d8ac
Instruction Fuzzy Hash: 0AC17672D41205BFEB20DFA9CC42FEE77F8AB48704F14406AFA05FB282D67499518769

Uniqueness

Uniqueness Score: -1.00%

Function 0044E34D, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044E01B: CreateFileW.KERNEL32(00000000,00000000,?,0044E3F6,?,?,00000000,?,0044E3F6,00000000,0000000C), ref: 0044E038

GetLastError.KERNEL32 ref: 0044E461
__dosmaperr.LIBCMT ref: 0044E468
GetFileType.KERNEL32(00000000), ref: 0044E474
GetLastError.KERNEL32 ref: 0044E47E
__dosmaperr.LIBCMT ref: 0044E487
CloseHandle.KERNEL32(00000000), ref: 0044E4A7
CloseHandle.KERNEL32(?), ref: 0044E5F1
GetLastError.KERNEL32 ref: 0044E623
__dosmaperr.LIBCMT ref: 0044E62A

Strings

H, xrefs: 0044E5AF

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: eecf333f71bc96d8dc5ac88c3fb170066a3f0d9cd420d544864fc0712d2d40de
Instruction ID: 94fbe240bb42dbd8e0f205b176f9d32671075cf56861fa904afae5ccd9ad6a91
Opcode Fuzzy Hash: eecf333f71bc96d8dc5ac88c3fb170066a3f0d9cd420d544864fc0712d2d40de
Instruction Fuzzy Hash: 5DA14A32A145049FEF19EF69DC527AE7BB0AB0A324F14015EF811AB3D1D7798C12CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B89F, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 0040FE25: TerminateProcess.KERNEL32(00000000,0046B4F8,0040D81B), ref: 0040FE35
Part of subcall function 0040FE25: WaitForSingleObject.KERNEL32(000000FF), ref: 0040FE48

Part of subcall function 00410767: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,0046B510), ref: 00410783
Part of subcall function 00410767: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041079C
Part of subcall function 00410767: RegCloseKey.KERNELBASE(00000000), ref: 004107A7

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B8F9
ShellExecuteW.SHELL32(00000000,open,00000000,00464A1C,00464A1C,00000000), ref: 0040BA58
ExitProcess.KERNEL32 ref: 0040BA64

Strings

exepath, xrefs: 0040B8D1
.vbs, xrefs: 0040B8FF
Temp, xrefs: 0040B93A
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040BA07
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B999
""", 0, xrefs: 0040B981
open, xrefs: 0040BA52

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-2411266221
Opcode ID: b3f01a99b62a533797f1c5d7292f671d13e29dc4d5aa7ec37d2c11dc2d8bc29f
Instruction ID: 1449f38187be00ef789bb7c238c47e874f336dce9f6d1fcde04d26cd8025858f
Opcode Fuzzy Hash: b3f01a99b62a533797f1c5d7292f671d13e29dc4d5aa7ec37d2c11dc2d8bc29f
Instruction Fuzzy Hash: 72415E31A101189ACB14FB62DC56DEE7779AF50705F10017FF806B31E2EE385E8ACA99

Uniqueness

Uniqueness Score: -1.00%

Function 00434F1A, Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D19,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00434F72
GetLastError.KERNEL32(?,?,00401D19,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00434F7F
__dosmaperr.LIBCMT ref: 00434F86
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D19,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00434FB2
GetLastError.KERNEL32(?,?,?,00401D19,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00434FBC
__dosmaperr.LIBCMT ref: 00434FC3
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D19,?), ref: 00435006
GetLastError.KERNEL32(?,?,?,?,?,?,00401D19,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00435010
__dosmaperr.LIBCMT ref: 00435017
_free.LIBCMT ref: 00435023
_free.LIBCMT ref: 0043502A

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 03c1e9ed19825db1ac034d48873f66a8ad266d0654217f6c33c7f0e215798f1a
Instruction ID: c9c9335336a89b2c59d2cf0f9b7830c19e022b00eabf8274827dc48621fddd61
Opcode Fuzzy Hash: 03c1e9ed19825db1ac034d48873f66a8ad266d0654217f6c33c7f0e215798f1a
Instruction Fuzzy Hash: 5831CE7280060ABFDF15AFA5DC459AF3B78EF4D324F14516AF81056291DB39CD00CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044F0B5, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044FCFF), ref: 0044F0D8

Strings

asin, xrefs: 0044F244
exp, xrefs: 0044F19D, 0044F1FF
Z@, xrefs: 0044F14E, 0044F1E8, 0044F2A0
pow, xrefs: 0044F1BC, 0044F268, 0044F27B
sqrt, xrefs: 0044F25C
acos, xrefs: 0044F250
log, xrefs: 0044F17E, 0044F18A
log10, xrefs: 0044F122, 0044F172

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: Z@$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-1330057990
Opcode ID: 546ae513bbc881a2a33b368b738520846b1cd4fe470f91acbdf90245df89f40f
Instruction ID: a04afc1eabbc984b08d6b97e0c2dce00461b31c7134f7f962801f8d098fdc209
Opcode Fuzzy Hash: 546ae513bbc881a2a33b368b738520846b1cd4fe470f91acbdf90245df89f40f
Instruction Fuzzy Hash: 4D519275900A1ADBEF10CFA8E9480EDBBB0FB49304F5041A7D881A7255CBBA8D1DDB1D

Uniqueness

Uniqueness Score: -1.00%

Function 004053A3, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 154windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 004053C2
GetMessageA.USER32 ref: 0040548C
TranslateMessage.USER32(?), ref: 0040549B
DispatchMessageA.USER32 ref: 004054A6
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,0046B2B0), ref: 00405549
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405581

Part of subcall function 00404A63: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AD6

Strings

DisplayMessage, xrefs: 004054F4
CloseChat, xrefs: 00405511
GetMessage, xrefs: 00405500

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 39462c484cad8a2eaca6832bbda4ca5670388de32cb308dbc362bd22d15ff0a7
Instruction ID: ecb1cfbc98ab2ed70b6514d8cd9fe74fcf02a533038be295ecf1b273ccb4aec6
Opcode Fuzzy Hash: 39462c484cad8a2eaca6832bbda4ca5670388de32cb308dbc362bd22d15ff0a7
Instruction Fuzzy Hash: 2D41B5716047015BC614FB71DD5A96F77A8AB81704F40053FF912A72E2EF3C9A05CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004188E6, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00000000), ref: 004188F2
GetConsoleWindow.KERNEL32 ref: 004188F8
ShowWindow.USER32(00000000,00000000), ref: 0041890B

Strings

* Remcos v, xrefs: 00418968
* BreakingSecurity.net, xrefs: 0041899A
--------------------------, xrefs: 00418952
CONOUT$, xrefs: 00418920
--------------------------, xrefs: 004189B5
3.1.2 Pro, xrefs: 0041897F

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ConsoleWindow$AllocShow
String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.1.2 Pro$CONOUT$
API String ID: 3461962499-4190615208
Opcode ID: 6d2dd39572323d4b0c8ed7ea4dbde50d6909ed7e3a79637fe332025574a478e6
Instruction ID: 3848500195b808feaa4087788ae119dbf2f766d277379350e60404f09476f985
Opcode Fuzzy Hash: 6d2dd39572323d4b0c8ed7ea4dbde50d6909ed7e3a79637fe332025574a478e6
Instruction Fuzzy Hash: F3214F72808A0525DF11AF145C01FD6B769AF92704F004293E89C7F151DFAA6DCA4BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00416186, Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,?,00415B45), ref: 00416195
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,?,00415B45), ref: 004161AC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415B45), ref: 004161B9
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,00415B45), ref: 004161C8
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415B45), ref: 004161D9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415B45), ref: 004161DC

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 48f2df4ea4ef9bc203d735282d3cd7c062d6dd7e1b2dca827d7989cdfe820bef
Instruction ID: 66bcccb4203c03d87018275c8fbc68324d973e5e5648a3412095ece8eea25fb5
Opcode Fuzzy Hash: 48f2df4ea4ef9bc203d735282d3cd7c062d6dd7e1b2dca827d7989cdfe820bef
Instruction Fuzzy Hash: B7110A315422187FD7116B64DCC5CFF3B2CDB47761B004027FA0592181DB64CC46EAB9

Uniqueness

Uniqueness Score: -1.00%

Function 004406AE, Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004406C2

Part of subcall function 0043ECB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00447930,00000000,00000000,00000000,00000000,?,00447BD4,00000000,00000007,00000000,?,0044811F,00000000), ref: 0043ECCB
Part of subcall function 0043ECB5: GetLastError.KERNEL32(00000000,?,00447930,00000000,00000000,00000000,00000000,?,00447BD4,00000000,00000007,00000000,?,0044811F,00000000,00000000), ref: 0043ECDD

_free.LIBCMT ref: 004406CE
_free.LIBCMT ref: 004406D9
_free.LIBCMT ref: 004406E4
_free.LIBCMT ref: 004406EF
_free.LIBCMT ref: 004406FA
_free.LIBCMT ref: 00440705
_free.LIBCMT ref: 00440710
_free.LIBCMT ref: 0044071B
_free.LIBCMT ref: 00440729

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4562818b8f93350310ddfaa7ec2679da1ec4ca6322590f3d7c561ed9231b1852
Instruction ID: e0bc374b8347eaffbd762ef216364b827eb2bda05097b515d71a2fd2b7f3cbb5
Opcode Fuzzy Hash: 4562818b8f93350310ddfaa7ec2679da1ec4ca6322590f3d7c561ed9231b1852
Instruction Fuzzy Hash: 1911A775501109BFDF01EF56C942CDD3BA6EF08354F4160AABA094B2A2DA35DA509F88

Uniqueness

Uniqueness Score: -1.00%

Function 0043D6BA, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004407A2: GetLastError.KERNEL32(?,00438E18,00434ED5,00438E18,?,?,00436D17,FF8BC35D,?,?), ref: 004407A6
Part of subcall function 004407A2: _free.LIBCMT ref: 004407D9
Part of subcall function 004407A2: SetLastError.KERNEL32(00000000,FF8BC35D,?,?), ref: 0044081A
Part of subcall function 004407A2: _abort.LIBCMT ref: 00440820

_memcmp.LIBVCRUNTIME ref: 0043D964
_free.LIBCMT ref: 0043D9D5
_free.LIBCMT ref: 0043D9EE
_free.LIBCMT ref: 0043DA20
_free.LIBCMT ref: 0043DA29
_free.LIBCMT ref: 0043DA35

Strings

Z@, xrefs: 0043D9B2
C, xrefs: 0043D822

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C$Z@
API String ID: 1679612858-1639471606
Opcode ID: f410f3031b1f3fd60a8aa172b00572acf5c62c3778a0fcd80ab56e7b34ceb745
Instruction ID: 6238e8002ba8d87ee696d381671d8c21b8e4375ee2ee308b6dc914961b89dffb
Opcode Fuzzy Hash: f410f3031b1f3fd60a8aa172b00572acf5c62c3778a0fcd80ab56e7b34ceb745
Instruction Fuzzy Hash: ECB13975E012199BDB24DF19D884BAEB7B4FF08304F1055AEE949A7350E735AE90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00415677, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041567C
GdiplusStartup.GDIPLUS(0046AE98,?,00000000), ref: 004156AE

Part of subcall function 00407544: char_traits.LIBCPMT ref: 0040755F

Part of subcall function 004154B5: SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 0041550E
Part of subcall function 004154B5: DeleteFileW.KERNEL32(00000000,0000001B), ref: 00415597

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041573A
Sleep.KERNEL32(000003E8), ref: 004157B9
GetLocalTime.KERNEL32(?), ref: 004157C1
Sleep.KERNEL32(00000000,00000018,00000000), ref: 004158B0

Strings

wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041575D, 0041577E, 004157E5
time_%04i%02i%02i_%02i%02i%02i, xrefs: 00415762

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CreateSleep$DeleteDirectoryFileGdiplusH_prologLocalStartupStreamTimechar_traits
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 3280235481-3790400642
Opcode ID: 99dd4998937fdee22c8e84874b4bd7a0200325268577255cacec372ec616e8e4
Instruction ID: 023d39b461cf42c1c794f1169525fe20b8555327acf1b30643a5d2829ea41806
Opcode Fuzzy Hash: 99dd4998937fdee22c8e84874b4bd7a0200325268577255cacec372ec616e8e4
Instruction Fuzzy Hash: 7C519170A002189ACB04FBB6DC52AFE7769AB55308F04007FF845A71E2EF7C5E858799

Uniqueness

Uniqueness Score: -1.00%

Function 004435FD, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00443D72,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044363F
__fassign.LIBCMT ref: 004436BA
__fassign.LIBCMT ref: 004436D5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 004436FB
WriteFile.KERNEL32(?,FF8BC35D,00000000,r=D,00000000,?,?,?,?,?,?,?,?,?,00443D72,?), ref: 0044371A
WriteFile.KERNEL32(?,?,00000001,r=D,00000000,?,?,?,?,?,?,?,?,?,00443D72,?), ref: 00443753

Strings

r=D, xrefs: 0044370E, 00443746, 00443711, 00443749

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: r=D
API String ID: 1324828854-3010308123
Opcode ID: 4d7cd0390740e62aae9e8b8d6b75e3fcb8ca14cdf0d87bad59dbb7c2333f7d0b
Instruction ID: b2912b0f23e80cd50ac35047f1155a2d0cfad5326bd3a6d88bd5420abf9f6878
Opcode Fuzzy Hash: 4d7cd0390740e62aae9e8b8d6b75e3fcb8ca14cdf0d87bad59dbb7c2333f7d0b
Instruction Fuzzy Hash: 0951E8B0A002099FEB10CFA8DC85AEEBBF4EF09705F14812BE555E7391D7749A41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00413405, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 110sleepfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040BA91: char_traits.LIBCPMT ref: 0040BAA1

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00413466

Part of subcall function 0041762A: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,00413490), ref: 00417647

Sleep.KERNEL32(00000064), ref: 00413492
DeleteFileW.KERNEL32(00000000), ref: 004134C6

Strings

\sysinfo.txt, xrefs: 00413411
dxdiag, xrefs: 0041345B
temp, xrefs: 00413416
/t , xrefs: 00413445
open, xrefs: 00413460

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleepchar_traits
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 2701014334-2001430897
Opcode ID: e5fb45ba4252d36a7cc74832ea785b1cad5f31c5848f666342bb106d9704653d
Instruction ID: b8ee8f532f0513722e38419c4cb9b6cd411a9d8607b3b0f301e0f30e57b7ecdf
Opcode Fuzzy Hash: e5fb45ba4252d36a7cc74832ea785b1cad5f31c5848f666342bb106d9704653d
Instruction Fuzzy Hash: C5318F719102095ACB14FBA2DC92EEE7735AF51308F40007FF906771D2EF781A4ACA9A

Uniqueness

Uniqueness Score: -1.00%

Function 004062EA, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00407544: char_traits.LIBCPMT ref: 0040755F

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,[Info],00000000,0046B230,?,00406E86,00000000), ref: 00406343
WriteFile.KERNEL32(?,?,00000000,00406E86,00000000,?,000186A0,00406E86,?,00406E86,00000000,?,?,?,0000000A), ref: 0040638B
CloseHandle.KERNEL32(00000000,?,00406E86,00000000,?,?,?,0000000A), ref: 004063C5
MoveFileW.KERNEL32(00000000,00000000), ref: 004063DD
CloseHandle.KERNEL32(?,00000057,?,00000008,?,?,?,?,?,?,?,?,0000000A), ref: 00406401
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,0000000A), ref: 00406410

Strings

[Info], xrefs: 004062FE
.part, xrefs: 0040630C

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
String ID: .part$[Info]
API String ID: 820096542-3571004685
Opcode ID: a2811c59791bda6b6b33f9c7f848357fc2ebdec204dd2e7d55b978da8537e60f
Instruction ID: 2c3542610a1d586e19595e8ea8079c51db4a73444b2b01e549bb12c394a41ca6
Opcode Fuzzy Hash: a2811c59791bda6b6b33f9c7f848357fc2ebdec204dd2e7d55b978da8537e60f
Instruction Fuzzy Hash: FB316F71D00219ABCF14EFA1DD469EEB378EB04315F10847BF812B31D1DA74AA58CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F89, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00464A1C,00464A1C,00000000), ref: 00406058
ExitProcess.KERNEL32 ref: 00406065

Strings

mscfile\shell\open\command, xrefs: 00405FB7
origmsc, xrefs: 00405FF3
C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 00406013
Software\Classes\mscfile\shell\open\command, xrefs: 00406022
eventvwr.exe, xrefs: 00406032
open, xrefs: 00406051

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ExecuteExitProcessShell
String ID: C:\Windows\SysWOW64\DpiScaling.exe$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
API String ID: 1124553745-1249179971
Opcode ID: 0d1cfa7387f7203e571d2ddcc6fd3228a9637f73e30d06cd6f4536b53356d9f4
Instruction ID: f19fda83c0f1f544d8524cad75ed2d1f36f025f1cc0e2b66520d3725dc9b94bc
Opcode Fuzzy Hash: 0d1cfa7387f7203e571d2ddcc6fd3228a9637f73e30d06cd6f4536b53356d9f4
Instruction Fuzzy Hash: F611F371A5010576D708B2A2CC57FAE36689B5070AF50003FF906B61E3EFBC4A5582EE

Uniqueness

Uniqueness Score: -1.00%

Function 004186B5, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004186CE

Part of subcall function 00418767: RegisterClassExA.USER32(00000030), ref: 004187B3
Part of subcall function 00418767: CreateWindowExA.USER32 ref: 004187CE
Part of subcall function 00418767: GetLastError.KERNEL32 ref: 004187D8

ExtractIconA.SHELL32(00000000,?,00000000), ref: 00418705
lstrcpynA.KERNEL32(0046AED0,Remcos,00000080), ref: 0041871F
Shell_NotifyIconA.SHELL32(00000000,0046AEB8), ref: 00418735
TranslateMessage.USER32(?), ref: 00418741
DispatchMessageA.USER32 ref: 0041874B
GetMessageA.USER32 ref: 00418758

Strings

Remcos, xrefs: 00418710

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: d260b03214e5c0accdcc66dcc5f5f6aa3a2ae66fd84a03572da2763665f44904
Instruction ID: 7a2d62b373811514d7c9071ed7450f3ad8570e30042a2d28b228f09562c7ede0
Opcode Fuzzy Hash: d260b03214e5c0accdcc66dcc5f5f6aa3a2ae66fd84a03572da2763665f44904
Instruction Fuzzy Hash: D40152B2940704ABD7109FA1EE0CE9B7B7CFB86706F10007BF615A2161E7F990558F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00444EF8, Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2d9b812c1d4f42ccc1495c145b6c308821e7d1829214feac99b0338603b0d6
Instruction ID: e23e3979c20f35e55dc19fa4006ae4b1ffff1210921381b6af0bb95a45aa58a4
Opcode Fuzzy Hash: db2d9b812c1d4f42ccc1495c145b6c308821e7d1829214feac99b0338603b0d6
Instruction Fuzzy Hash: 96C1A370D04649AFEF11DFA9C841BAEBBB4BF4A304F18419AE504A7392C7789D41CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0044D814, Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0044DAED,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0044D8C0
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0044DAED,00000000,00000000,?,00000001,?,?,?,?), ref: 0044D943
__alloca_probe_16.LIBCMT ref: 0044D97B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0044DAED,?,0044DAED,00000000,00000000,?,00000001,?,?,?,?), ref: 0044D9D6
__alloca_probe_16.LIBCMT ref: 0044DA25
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0044DAED,00000000,00000000,?,00000001,?,?,?,?), ref: 0044D9ED

Part of subcall function 0043E44C: RtlAllocateHeap.NTDLL(00000000,0042F96C,?,?,004310B7,?,?,00000000,?,?,0040BB2E,0042F96C,?,?,?,?), ref: 0043E47E

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0044DAED,00000000,00000000,?,00000001,?,?,?,?), ref: 0044DA69
__freea.LIBCMT ref: 0044DA94
__freea.LIBCMT ref: 0044DAA0

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 0c5a2df0cc8d1917cfad39750eb16f0c07f30ea76b71f93eb995e5a3183216f2
Instruction ID: 586333b7773720a00ec64cea1bed426b91c60b1522a679bc6e2da193a93c669e
Opcode Fuzzy Hash: 0c5a2df0cc8d1917cfad39750eb16f0c07f30ea76b71f93eb995e5a3183216f2
Instruction Fuzzy Hash: F591C171E042169AFF20AFA5CC41ABFBBB59F09314F18066BE815E7281D738DC40C769

Uniqueness

Uniqueness Score: -1.00%

Function 0040FFCF, Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 414filesleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040FFEA

Part of subcall function 00416D42: GetCurrentProcessId.KERNEL32(00000000,7519FBB0,00000000,?,?,?,?,?,0040B309,.vbs), ref: 00416D69

Sleep.KERNEL32(00000064,Function_0005E414), ref: 00410104
DeleteFileW.KERNEL32(00000000,Function_0005E414,Function_0005E414,Function_0005E414), ref: 004102DA
DeleteFileW.KERNEL32(00000000,Function_0005E414,Function_0005E414,Function_0005E414), ref: 00410308
DeleteFileW.KERNEL32(00000000,Function_0005E414,Function_0005E414,Function_0005E414), ref: 00410336
Sleep.KERNEL32(000001F4,Function_0005E414,Function_0005E414,Function_0005E414), ref: 0041034D

Part of subcall function 00404A63: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AD6

Strings

/stext ", xrefs: 004100A3, 0041011F, 0041019E, 00410218

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: File$Delete$Sleep$CurrentModuleNameProcesssend
String ID: /stext "
API String ID: 2606709979-3856184850
Opcode ID: 35489b7600e879a7a0e06e43439d59a0a1e8553e2042767bdac0cf72bf63f6ce
Instruction ID: 819942e1beef2a3f702109df5e1857fd6a1b370aae4c184f99d73a8ed3cd770c
Opcode Fuzzy Hash: 35489b7600e879a7a0e06e43439d59a0a1e8553e2042767bdac0cf72bf63f6ce
Instruction Fuzzy Hash: 50E171319101199ACB18FB61DC92AED7375AF54308F4041BFF406B71E2EF785E8ACA58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F522, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040F541
inet_ntoa.WS2_32 ref: 0040F5D6

Strings

StopReverse, xrefs: 0040F6B5
StartReverse, xrefs: 0040F692
StopForward, xrefs: 0040F6A4
StartForward, xrefs: 0040F684
GetDirectListeningPort, xrefs: 0040F6C6

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: 745487f01de29384b24cc9a4ef6b21cf73ac434c06adc265a01a447a2b11a145
Instruction ID: 73c099442080955713a26c41de68bdaa73ddbd7f6aef978d0dc3304889b9c071
Opcode Fuzzy Hash: 745487f01de29384b24cc9a4ef6b21cf73ac434c06adc265a01a447a2b11a145
Instruction Fuzzy Hash: 2751E671A043019BC614BB79DC5AA2E36959B81305F40053FF802B7AE2EF7C991D879F

Uniqueness

Uniqueness Score: -1.00%

Function 00404F63, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 112timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32("A,0046B760,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004122EE), ref: 00404F9E
GetLocalTime.KERNEL32("A,0046B760,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004122EE), ref: 0040505B

Strings

KeepAlive timeout changed to %i, xrefs: 00405079
Connection KeepAlive enabled, xrefs: 00404FBB
"A, xrefs: 00405057, 00404F9A, 00404F9D, 0040505A
Connection KeepAlive timeout: %i, xrefs: 00405009
%02i:%02i:%02i:%03i [Info] , xrefs: 00404F8F, 00404FC0, 0040500E, 0040507E

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: %02i:%02i:%02i:%03i [Info] $Connection KeepAlive enabled$Connection KeepAlive timeout: %i$KeepAlive timeout changed to %i$"A
API String ID: 481472006-2140864768
Opcode ID: a04544b1f9e1d80c6da35864c79a4b8895eb48ce15902b19a9cc140c48e8ae2c
Instruction ID: e339d98e415a46d9ac2feef82de3c74d07ee61679cef7cd1ebdb54cae42a20b0
Opcode Fuzzy Hash: a04544b1f9e1d80c6da35864c79a4b8895eb48ce15902b19a9cc140c48e8ae2c
Instruction Fuzzy Hash: D2413EA1D00208AACB14EBB69C15AFE77B8EB05705F10407BF501B21D2FB7D5A45DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00413AA9, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00413CF6: __EH_prolog.LIBCMT ref: 00413CFB

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,Function_0005E66C), ref: 00413BA6
CloseHandle.KERNEL32(00000000), ref: 00413BAF
DeleteFileA.KERNEL32(00000000), ref: 00413BBE
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00413B72

Part of subcall function 00404A63: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AD6

Strings

<, xrefs: 00413B4D
@, xrefs: 00413B54
Temp, xrefs: 00413ACA

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$Temp
API String ID: 1704390241-1032778388
Opcode ID: 5d7b99058ebff37180785b27be8c20459b1d18c925803e5bfe03f3f58016c3c0
Instruction ID: d2eee4893fad882655ce2d708c2291829e91eab1c503e90b4904c98b6409f5c2
Opcode Fuzzy Hash: 5d7b99058ebff37180785b27be8c20459b1d18c925803e5bfe03f3f58016c3c0
Instruction Fuzzy Hash: 64419F719042099ACB14FB61CC56AED7734AF50319F40017EF506760E2EF7D1B8ACB89

Uniqueness

Uniqueness Score: -1.00%

Function 0044307E, Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00438296,00438296,?,?,?,004432CF,00000001,00000001,BBE85006), ref: 004430D8
__alloca_probe_16.LIBCMT ref: 00443110
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004432CF,00000001,00000001,BBE85006,?,?,?), ref: 0044315E
__alloca_probe_16.LIBCMT ref: 004431F5
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,BBE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00443258
__freea.LIBCMT ref: 00443265

Part of subcall function 0043E44C: RtlAllocateHeap.NTDLL(00000000,0042F96C,?,?,004310B7,?,?,00000000,?,?,0040BB2E,0042F96C,?,?,?,?), ref: 0043E47E

__freea.LIBCMT ref: 0044326E
__freea.LIBCMT ref: 00443293

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 9a4c0c8dfa07294c16f511724ffca4aa6cfcf1911198185062ebb401ef2f8663
Instruction ID: 003014841d61a7e0bdd85ef97706067aefefb4880142b4986354d0516e41bda6
Opcode Fuzzy Hash: 9a4c0c8dfa07294c16f511724ffca4aa6cfcf1911198185062ebb401ef2f8663
Instruction Fuzzy Hash: BC510672600216ABFB258F65CC41EBB77A9FF44F15F14466AFD04D6280DBB8DE40C668

Uniqueness

Uniqueness Score: -1.00%

Function 00414FCF, Relevance: 12.1, APIs: 8, Instructions: 101keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,00000001,0000001C,00000000,00000000), ref: 00415003
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00415021
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 0041503E
SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00415050
SendInput.USER32(00000001,00000001,0000001C), ref: 00415067
SendInput.USER32(00000001,00000001,0000001C), ref: 00415084
SendInput.USER32(00000001,00000001,0000001C), ref: 004150A0
SendInput.USER32(00000001,?,0000001C,?), ref: 004150BD

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: 4d8406b475d53d094f7708dccc8f0da2d7160c828e2210d65b6fe013d34f5e38
Instruction ID: 3d1e2aae88ce56a89cd9d2cdc5af6e88687acaef8919dee863f5e19c5652b85e
Opcode Fuzzy Hash: 4d8406b475d53d094f7708dccc8f0da2d7160c828e2210d65b6fe013d34f5e38
Instruction Fuzzy Hash: A3313071D9026DA9FB209BD1CC46FFFBF78AF58714F04000AE600AA1C2D2E995858BE5

Uniqueness

Uniqueness Score: -1.00%

Function 004476E6, Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00447755
_free.LIBCMT ref: 00447763
_free.LIBCMT ref: 00447891
_free.LIBCMT ref: 0044789C

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0da712644960c383e90c405b7b70038f892df1cb66c1774335647f81ce5cff73
Instruction ID: f69dc2cab40c613cf788a82369a2a51ec3b9c48b80aeb60825c6b766f5fb0b6d
Opcode Fuzzy Hash: 0da712644960c383e90c405b7b70038f892df1cb66c1774335647f81ce5cff73
Instruction Fuzzy Hash: 1761CF31D04205AFEB20DF69C845B9ABBF5EF49310F24406BE945EB382E7749D42CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043D23C, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043E44C: RtlAllocateHeap.NTDLL(00000000,0042F96C,?,?,004310B7,?,?,00000000,?,?,0040BB2E,0042F96C,?,?,?,?), ref: 0043E47E

_free.LIBCMT ref: 0043D347
_free.LIBCMT ref: 0043D35E
_free.LIBCMT ref: 0043D37D
_free.LIBCMT ref: 0043D398
_free.LIBCMT ref: 0043D3AF

Strings

XcE, xrefs: 0043D28F

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: XcE
API String ID: 3033488037-3582471009
Opcode ID: 7a0e43aec475f42b589a11b2fc0709605cab9be6f5457e930fa6b52710dda5ed
Instruction ID: 7b426d74d66a721c3afde6918cc160738a2fcc24053d25bc4b8bf8408d5db4ba
Opcode Fuzzy Hash: 7a0e43aec475f42b589a11b2fc0709605cab9be6f5457e930fa6b52710dda5ed
Instruction Fuzzy Hash: 5951EF31A00704ABDB20DF2AE841A6A73F5EF4D324F10556EEC09D73A1E739ED018B49

Uniqueness

Uniqueness Score: -1.00%

Function 0041B6A6, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 174COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 0041B758

Strings

TLS_AES_128_GCM_SHA256, xrefs: 0041B6CA, 0041B6DE, 0041B6F6, 0041B70C, 0041B752, 0041B756
ALL, xrefs: 0041B6D9
DEFAULT, xrefs: 0041B6F1
ECDSA, xrefs: 0041B83A
,E, xrefs: 0041B775, 0041B791

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _strncpy
String ID: ,E$ALL$DEFAULT$ECDSA$TLS_AES_128_GCM_SHA256
API String ID: 2961919466-488134631
Opcode ID: 9530519854a85386f709747d4b3957abb3c7ccc950989efe37b675abc6ab4898
Instruction ID: 49ea166dafacc97666a32ee8ee6be770de7da7770284e1c40db0432f1105f887
Opcode Fuzzy Hash: 9530519854a85386f709747d4b3957abb3c7ccc950989efe37b675abc6ab4898
Instruction Fuzzy Hash: FD512A35D043059ADF20AAA588817FFBBB9DF44708F14407FEC55A7382E379898687D9

Uniqueness

Uniqueness Score: -1.00%

Function 00401CCF, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D14

Part of subcall function 00401A44: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401AAC

waveInUnprepareHeader.WINMM(0046AA78,00000020,00000000,?), ref: 00401DC6
waveInPrepareHeader.WINMM(0046AA78,00000020), ref: 00401E04
waveInAddBuffer.WINMM(0046AA78,00000020), ref: 00401E13

Strings

%Y-%m-%d %H.%M, xrefs: 00401D05
.wav, xrefs: 00401D2D

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: 27328ad256579990b78b43bd5b4c99ad198a8d80aa8278b95f8a3407c122f857
Instruction ID: 2813ea202a96159af7f6a3114ff2599f915672877f0fcc3236a6a8a6963a5caf
Opcode Fuzzy Hash: 27328ad256579990b78b43bd5b4c99ad198a8d80aa8278b95f8a3407c122f857
Instruction Fuzzy Hash: FE3159315147009BC314EF62DD56A9E77A8AB54308F00483FF945A21F2EF789A59CF9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A838, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00410619: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,00000000,00000000), ref: 0041063B
Part of subcall function 00410619: RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,?,00000400), ref: 0041065A
Part of subcall function 00410619: RegCloseKey.ADVAPI32(00000000), ref: 00410663

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040A8BA
PathFileExistsA.SHLWAPI(?), ref: 0040A8C7

Strings

[IE cookies cleared!], xrefs: 0040A914, 0040A930
Cookies, xrefs: 0040A84C
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040A851
[IE cookies not found], xrefs: 0040A88F

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: eb478498ed2acbb469e566815f7a2be38cef67a1ee24078205f771e11be405ee
Instruction ID: 43a9d692eefcde3de50f535b7ff1481656e847da9067895d312ecb23c0d3b01b
Opcode Fuzzy Hash: eb478498ed2acbb469e566815f7a2be38cef67a1ee24078205f771e11be405ee
Instruction Fuzzy Hash: B821E371A102056ACB08F7B2CC5BCEE73289F50304F84017FB901731D2EB7C9A5AC69A

Uniqueness

Uniqueness Score: -1.00%

Function 0044F813, Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f7a67c063cfcf614d0db3c97daea858a2a2fbddf935f83a1c17910d08094d3
Instruction ID: 357bb96dc563beb838815e95e5c2da036d7c538c26bd4b34adcc74ca30fb8d4f
Opcode Fuzzy Hash: 78f7a67c063cfcf614d0db3c97daea858a2a2fbddf935f83a1c17910d08094d3
Instruction Fuzzy Hash: D511D232504215BBEB207FB68C0596B3AACEF8A764B11457BB8159A281DB78CC04C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE23, Relevance: 10.6, APIs: 7, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040EE30
int.LIBCPMT ref: 0040EE43

Part of subcall function 0040BDAF: std::_Lockit::_Lockit.LIBCPMT ref: 0040BDC0
Part of subcall function 0040BDAF: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDDA

std::locale::_Getfacet.LIBCPMT ref: 0040EE4C
std::_Facet_Register.LIBCPMT ref: 0040EE83
std::_Lockit::~_Lockit.LIBCPMT ref: 0040EE8C
__CxxThrowException@8.LIBVCRUNTIME ref: 0040EEAA
__Init_thread_footer.LIBCMT ref: 0040EEEB

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetInit_thread_footerRegisterThrowstd::locale::_
String ID:
API String ID: 2409581025-0
Opcode ID: 43ef2f812d39cf4b3a28cfedbbde6b3944535b5f762c62394cbdaada7a089694
Instruction ID: b6a716d8b59e952dde3afb300bae2208341dfd6859464876faa475c96ed23667
Opcode Fuzzy Hash: 43ef2f812d39cf4b3a28cfedbbde6b3944535b5f762c62394cbdaada7a089694
Instruction Fuzzy Hash: E3210732A001249BC710FB6AE8469AE73689F44724B60057FF805B72D1EB796D0187DE

Uniqueness

Uniqueness Score: -1.00%

Function 00416BC8, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71sleeplibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,0046AACC,?,?,?,?,?,?,?,?,?,?,?,00413352), ref: 00416BDB
GetProcAddress.KERNEL32(00000000), ref: 00416BE2
Sleep.KERNEL32(000003E8,?,0046AACC,?,?,?,?,?,?,?,?,?,?,?,00413352,00000095), ref: 00416BFD
__aulldiv.LIBCMT ref: 00416C71

Strings

kernel32.dll, xrefs: 00416BD6
GetSystemTimes, xrefs: 00416BD1

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcSleep__aulldiv
String ID: GetSystemTimes$kernel32.dll
API String ID: 482274533-1354958348
Opcode ID: 86793f67c856018cb51bfcd3e912b70c74ca26b28de31310c5de2819ea7c7c4c
Instruction ID: c9dcb58400560f216b26306126f44125bfeac0cec880bd2bd8b3e4c4d5cdede3
Opcode Fuzzy Hash: 86793f67c856018cb51bfcd3e912b70c74ca26b28de31310c5de2819ea7c7c4c
Instruction Fuzzy Hash: AC116077D002186ACB14ABF5CC85DEF7B7CEA85655F05067BF901A3141FD38AA08C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00447BBB, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00447902: _free.LIBCMT ref: 0044792B

_free.LIBCMT ref: 00447C09

Part of subcall function 0043ECB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00447930,00000000,00000000,00000000,00000000,?,00447BD4,00000000,00000007,00000000,?,0044811F,00000000), ref: 0043ECCB
Part of subcall function 0043ECB5: GetLastError.KERNEL32(00000000,?,00447930,00000000,00000000,00000000,00000000,?,00447BD4,00000000,00000007,00000000,?,0044811F,00000000,00000000), ref: 0043ECDD

_free.LIBCMT ref: 00447C14
_free.LIBCMT ref: 00447C1F
_free.LIBCMT ref: 00447C73
_free.LIBCMT ref: 00447C7E
_free.LIBCMT ref: 00447C89
_free.LIBCMT ref: 00447C94

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ba511d0a131fed2d8676c4bcbc1129c1ca1e6124221ef08dcd02d2248df65d4b
Instruction ID: 691c28a98b648f465c1e86bb0b1117328d7f79ff389db681bda489683e58d4c7
Opcode Fuzzy Hash: ba511d0a131fed2d8676c4bcbc1129c1ca1e6124221ef08dcd02d2248df65d4b
Instruction Fuzzy Hash: 0E11AFB1506B48AAFA21BBB2CD07FCB779D5F04304F401C1EB69AA60D3DB2CB4068684

Uniqueness

Uniqueness Score: -1.00%

Function 0040F133, Relevance: 10.6, APIs: 7, Instructions: 64COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040F140
int.LIBCPMT ref: 0040F153

Part of subcall function 0040BDAF: std::_Lockit::_Lockit.LIBCPMT ref: 0040BDC0
Part of subcall function 0040BDAF: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDDA

std::locale::_Getfacet.LIBCPMT ref: 0040F15C
std::_Facet_Register.LIBCPMT ref: 0040F193
std::_Lockit::~_Lockit.LIBCPMT ref: 0040F19C
__CxxThrowException@8.LIBVCRUNTIME ref: 0040F1BA
std::exception::exception.LIBCMT ref: 0040F1C9

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::exception::exceptionstd::locale::_
String ID:
API String ID: 2287991272-0
Opcode ID: 5510bf3dde75cd5b8752355ffe32c01b5972640972b135cb44bf3b48ca7ff497
Instruction ID: 8fe6f12ce98adb17160cf2b76ad261db9c5d7970e5275f7bb35532b56f7447c7
Opcode Fuzzy Hash: 5510bf3dde75cd5b8752355ffe32c01b5972640972b135cb44bf3b48ca7ff497
Instruction Fuzzy Hash: CA11C872A00118E7C710ABA9E84589EBB68DF40764B50017FF905AB691EB78AD4487DD

Uniqueness

Uniqueness Score: -1.00%

Function 00434A45, Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00434A3C,00431B82), ref: 00434A53
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00434A61
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00434A7A
SetLastError.KERNEL32(00000000,?,00434A3C,00431B82), ref: 00434ACC

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 81b833f2b727956a95a7bb9bfb647ead3a9061a2e2cc328cf3b2166d104c91aa
Instruction ID: 9187164e7c58d16e5d78476946b12740c95f2365cebc62bbea4706a28b791c89
Opcode Fuzzy Hash: 81b833f2b727956a95a7bb9bfb647ead3a9061a2e2cc328cf3b2166d104c91aa
Instruction Fuzzy Hash: AC01283224D3112DA61437757C85AAB2B99DB8D778F20333FF114851F1EEA95C01914D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3B2, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040A3EE
GetLastError.KERNEL32 ref: 0040A3F8

Strings

\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A3B9
[Chrome Cookies found, cleared!], xrefs: 0040A41E
[Chrome Cookies not found], xrefs: 0040A412
UserProfile, xrefs: 0040A3BE

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: b38c661bb41dda2bab8162cabc9ebd2de366da51007103003e0f0f0a4fa058e6
Instruction ID: da61bdf8d2cbb777d2b248290f03a7c23f0e1186ba4cd8e2be58be0622380a16
Opcode Fuzzy Hash: b38c661bb41dda2bab8162cabc9ebd2de366da51007103003e0f0f0a4fa058e6
Instruction Fuzzy Hash: 5601A721A8020656CA0CBB76DD1F8BF7724A912709B50013FF902732D3EDBE5A1D869B

Uniqueness

Uniqueness Score: -1.00%

Function 004050D1, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046B2E0,?,00404C65,00000001,0046B2E0,00404C13,00000000,00000000,00000000), ref: 0040510F
SetEvent.KERNEL32(?,?,00404C65,00000001,0046B2E0,00404C13,00000000,00000000,00000000), ref: 0040511B
WaitForSingleObject.KERNEL32(?,000000FF,?,00404C65,00000001,0046B2E0,00404C13,00000000,00000000,00000000), ref: 00405126
CloseHandle.KERNEL32(?,?,00404C65,00000001,0046B2E0,00404C13,00000000,00000000,00000000), ref: 0040512F

Part of subcall function 0041693E: GetLocalTime.KERNEL32(00000000), ref: 00416958

Strings

[WARNING], xrefs: 004050F7
Connection KeepAlive disabled, xrefs: 004050E8

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive disabled$[WARNING]
API String ID: 2993684571-804309475
Opcode ID: 458d228cc791a77b1e0705b7a7d6d3c36e5158f744eecde3aee813a8fb5ce90f
Instruction ID: f0025f9e48947be225ee94268f92c625b598d8074cfc7fc0fc866f910aab019d
Opcode Fuzzy Hash: 458d228cc791a77b1e0705b7a7d6d3c36e5158f744eecde3aee813a8fb5ce90f
Instruction Fuzzy Hash: FEF04C718047003BDB103B758D0D66B3F58CB02315F00056BF942915F3D9F5D8408B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0043B84A, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0043B83F,0043E44B,?,0043B7DF,0043E44B,00467150,0000000C,0043B8F2,0043E44B,00000002), ref: 0043B86A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0043B87D
FreeLibrary.KERNEL32(00000000,?,?,?,0043B83F,0043E44B,?,0043B7DF,0043E44B,00467150,0000000C,0043B8F2,0043E44B,00000002,00000000), ref: 0043B8A0

Strings

Z@, xrefs: 0043B88E
CorExitProcess, xrefs: 0043B875
mscoree.dll, xrefs: 0043B863

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$Z@$mscoree.dll
API String ID: 4061214504-2274661236
Opcode ID: c89a12c4620076b052ea7df56ca3452696c6cef1d82deb23be0b7a7f64b2224b
Instruction ID: f0a85b332e14be75605d593809da49c34513ab8308c9f5102cfb3f8b4f15d65b
Opcode Fuzzy Hash: c89a12c4620076b052ea7df56ca3452696c6cef1d82deb23be0b7a7f64b2224b
Instruction Fuzzy Hash: 73F06830A00318BBCF156F50DD49B9EBFB8EF09756F4141BAF905A2251DB749E44CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041644B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041693E: GetLocalTime.KERNEL32(00000000), ref: 00416958

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041647D
PlaySoundW.WINMM(00000000,00000000), ref: 0041648B
Sleep.KERNEL32(00002710), ref: 00416492
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041649B

Strings

[ALARM], xrefs: 00416463
Alarm has been triggered!, xrefs: 00416454

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm has been triggered!$[ALARM]
API String ID: 614609389-1190268461
Opcode ID: 1bd2f5f2788a4a12e2aac3afe4a9dd67fbc9bc09be6b0cc423dc5a6337df95e8
Instruction ID: a6e7c8813547034dee1d3ba0469c2b66b9b5867bf8c9c567c7b32c21de267c55
Opcode Fuzzy Hash: 1bd2f5f2788a4a12e2aac3afe4a9dd67fbc9bc09be6b0cc423dc5a6337df95e8
Instruction Fuzzy Hash: 32E09222A40310378924337B6E0FD2F2D28DAC3B51701006FFB04671D29D944800C6FB

Uniqueness

Uniqueness Score: -1.00%

Function 00435129, Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004352B6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004352D2
__allrem.LIBCMT ref: 004352E9
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00435307
__allrem.LIBCMT ref: 0043531E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043533C

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c485ca43a9a50da213a26838af8388b00718d5a61deaaff96c33cc8e4a42be01
Instruction ID: 58622de95f4f5decb9fd44124e309b5a4a7af878de2f34de6433e08b7416b1b3
Opcode Fuzzy Hash: c485ca43a9a50da213a26838af8388b00718d5a61deaaff96c33cc8e4a42be01
Instruction Fuzzy Hash: 47810B71A00F059BEB209E69CC41B6F73A8EF48764F14552FF851D7281E778DD408B99

Uniqueness

Uniqueness Score: -1.00%

Function 0043DC0E, Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0043DC3A
__cftoe.LIBCMT ref: 0043DC6C

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 726183e1224469644e7afdf395b001a8579ee8f269ac404559ab36ad367c424e
Instruction ID: b345d7d93477ae85e426f1832f9542e4087b44f7ea72d3c8d6d6c9dada2b4e1e
Opcode Fuzzy Hash: 726183e1224469644e7afdf395b001a8579ee8f269ac404559ab36ad367c424e
Instruction Fuzzy Hash: 4D512832D00205ABDF205B6AAC41EAF77A99F4D334F60611FF815962D2DB78D900DA6C

Uniqueness

Uniqueness Score: -1.00%

Function 0043FAA4, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0043FBAC
__freea.LIBCMT ref: 0043FC56
__freea.LIBCMT ref: 0043FC74

Part of subcall function 00430510: _free.LIBCMT ref: 00430526

Strings

a/p, xrefs: 0043FD3B
am/pm, xrefs: 0043FCD7

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm
API String ID: 2936374016-3206640213
Opcode ID: bf8109783cc718a4c3deb6e8e4b497c0b681555e37dfd1e6364b7ec039941162
Instruction ID: 9e3dc2e3e0a6ae8f3f5a9dbdaea5f447c4783e4dcebf7c7492eec4272e0caadb
Opcode Fuzzy Hash: bf8109783cc718a4c3deb6e8e4b497c0b681555e37dfd1e6364b7ec039941162
Instruction Fuzzy Hash: 21D1E231D002068ADB249F68C8566BBB7B1FF0D300F24617BE9059B7A2D33D9D49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004162F1, Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00415A53), ref: 00416301
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00415A53), ref: 00416315
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415A53), ref: 00416322
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00415A53), ref: 00416357
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415A53), ref: 00416369
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00415A53), ref: 0041636C

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: a11dd0e6e5ccd742c18e839b6283622ff67e4074cd57b176c45cfdc9b4b2f5ce
Instruction ID: babf0d5a7b53bfb9f17cc3cbf5cd1cb98c0c8632a08143dd8a3224ad3c9f3502
Opcode Fuzzy Hash: a11dd0e6e5ccd742c18e839b6283622ff67e4074cd57b176c45cfdc9b4b2f5ce
Instruction Fuzzy Hash: F70149311452187AD2114B75DC0EEBF3B6CDB02771F00032BFE35922D1DAA8CE42C1A9

Uniqueness

Uniqueness Score: -1.00%

Function 004422A1, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044232C
__alldvrm.LIBCMT ref: 0044252D
__alldvrm.LIBCMT ref: 0044254F

Strings

WmC, xrefs: 004422BD

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID: WmC
API String ID: 1036877536-2838815975
Opcode ID: 31e801c643c0998d5f1c50542e9bc9fa4dd92c1628faeaa64553ddae2526f446
Instruction ID: 8a3dc5deba82e50c3c3074af3da605539f7d46482fd3102d6b4d1479785927ec
Opcode Fuzzy Hash: 31e801c643c0998d5f1c50542e9bc9fa4dd92c1628faeaa64553ddae2526f446
Instruction Fuzzy Hash: E0A14572900746AFFB11CE28C9917AEBBE5EF55314F54416FF8859B382C2BC8942C758

Uniqueness

Uniqueness Score: -1.00%

Function 004407A2, Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00438E18,00434ED5,00438E18,?,?,00436D17,FF8BC35D,?,?), ref: 004407A6
_free.LIBCMT ref: 004407D9
_free.LIBCMT ref: 00440801
SetLastError.KERNEL32(00000000,FF8BC35D,?,?), ref: 0044080E
SetLastError.KERNEL32(00000000,FF8BC35D,?,?), ref: 0044081A
_abort.LIBCMT ref: 00440820

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 7dc8c4b78c5c139a29f502acd66fb1a870cb33bccf29e1fc0e05ae14478ad5ac
Instruction ID: bc9a8898f8f99b9db3a85af9122800adca1e72d816864fb38d76928c9bf8c987
Opcode Fuzzy Hash: 7dc8c4b78c5c139a29f502acd66fb1a870cb33bccf29e1fc0e05ae14478ad5ac
Instruction Fuzzy Hash: 3CF0F93A14460166F60133276C4AA1F15295FD2769F35003BF615A62D2EEBC8D2245AE

Uniqueness

Uniqueness Score: -1.00%

Function 0041611F, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,?,00415CD0), ref: 0041612E
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,?,00415CD0), ref: 00416142
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415CD0), ref: 0041614F
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,00415CD0), ref: 0041615E
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415CD0), ref: 00416170
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415CD0), ref: 00416173

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 53a579242c89f74813b78daf671aab0e28c09bbe9483fba1a99ce8644ccaa42d
Instruction ID: 80535ad1d212fe559737f20e5d5c124c15fcc68ab3ac0bfcb5799164db36a840
Opcode Fuzzy Hash: 53a579242c89f74813b78daf671aab0e28c09bbe9483fba1a99ce8644ccaa42d
Instruction Fuzzy Hash: EEF0C2325013187BD2116B65DC89EBF3B6CDB46BA1F000027FE0592192DAA8CD46D5F9

Uniqueness

Uniqueness Score: -1.00%

Function 00416223, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,?,00415C56), ref: 00416232
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,?,00415C56), ref: 00416246
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415C56), ref: 00416253
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,?,00415C56), ref: 00416262
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415C56), ref: 00416274
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415C56), ref: 00416277

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: ac391b0ce05f7129c698ee4ec782ae0574099485deb89f9d9e7e3ac542778fa8
Instruction ID: e02cfe458aff3eee76900ea6cc20a711a9fb58a49e1aa5e2a0b2db93b8b4358a
Opcode Fuzzy Hash: ac391b0ce05f7129c698ee4ec782ae0574099485deb89f9d9e7e3ac542778fa8
Instruction Fuzzy Hash: 24F0C2325413186BD2116B65DC49EBF3B6CDB46BA2F00006BFE09A2192DB78CD46D5F9

Uniqueness

Uniqueness Score: -1.00%

Function 0041628A, Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,?,00415BDC), ref: 00416299
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,?,00415BDC), ref: 004162AD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415BDC), ref: 004162BA
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,?,00415BDC), ref: 004162C9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415BDC), ref: 004162DB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00415BDC), ref: 004162DE

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: dd46e339b9727b07c3ceabe3ae7841ae8b20f7ee8c1a7649d202fc9cad6efa98
Instruction ID: 6a9956e71a13f405426b50b2aa5d5557c79d4d9a69c6334cf7acefa59cb4e479
Opcode Fuzzy Hash: dd46e339b9727b07c3ceabe3ae7841ae8b20f7ee8c1a7649d202fc9cad6efa98
Instruction Fuzzy Hash: 69F0C2325022186BD211AB65DC49EBF3B6CDB46BA1F00006BFE09A2192DA78CD46D5B9

Uniqueness

Uniqueness Score: -1.00%

Function 004154B5, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 124fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041464D: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00414668
Part of subcall function 0041464D: CreateCompatibleDC.GDI32(00000000), ref: 00414674

SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 0041550E

Part of subcall function 00414162: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00414178

Part of subcall function 004141DA: GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004141EB

Part of subcall function 0041762A: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,00413490), ref: 00417647

DeleteFileW.KERNEL32(00000000,0000001B), ref: 00415597

Strings

png, xrefs: 004154C8
dat, xrefs: 004155E3
image/png, xrefs: 00415526

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Create$File$GdipImageStream$CompatibleDeleteFromLoadSave
String ID: dat$image/png$png
API String ID: 1095564277-186023265
Opcode ID: 790696a191180b5428bbb6314ec5308c063199aac7ae39845b2d9d03809a0edd
Instruction ID: dc169a17277b33a72ddcdbd74c64dcf2890ee9cdf38922d70b8cd1aab5c73cfb
Opcode Fuzzy Hash: 790696a191180b5428bbb6314ec5308c063199aac7ae39845b2d9d03809a0edd
Instruction Fuzzy Hash: 97414E721143405AC314FB22CC56DEF77A9AFA1358F40093FB546631E2EF785A49CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 00409036, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00409277: GetLocalTime.KERNEL32(?,?,00000000), ref: 00409285
Part of subcall function 00409277: SetEvent.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000000), ref: 0040932B

Part of subcall function 0041693E: GetLocalTime.KERNEL32(00000000), ref: 00416958

CreateThread.KERNEL32 ref: 004090B8

Part of subcall function 00408667: GetKeyboardLayout.USER32 ref: 0040866C

CreateThread.KERNEL32 ref: 004090A0
CreateThread.KERNEL32 ref: 004090AC

Strings

[Info], xrefs: 0040906C
Online Keylogger Started, xrefs: 0040904A, 0040904F, 00409061

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$EventKeyboardLayout
String ID: Online Keylogger Started$[Info]
API String ID: 1855134701-3401407043
Opcode ID: 04b00a43460c07bf53ca9fd5f1c6f0c55602cafccc229fdec96522bf0a5e582c
Instruction ID: ffb3782fd3b5bc14132210a38b851f534617e3803e8b15661b81745d2a7844cb
Opcode Fuzzy Hash: 04b00a43460c07bf53ca9fd5f1c6f0c55602cafccc229fdec96522bf0a5e582c
Instruction Fuzzy Hash: D701AD907003583EEA34323A4ECAD7F295DCA8279DB50047FF681362C7C9BE5D1582BA

Uniqueness

Uniqueness Score: -1.00%

Function 00418767, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 004187B3
CreateWindowExA.USER32 ref: 004187CE
GetLastError.KERNEL32 ref: 004187D8

Strings

0, xrefs: 00418783
MsgWindowClass, xrefs: 0041877E

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 88dd2cb0b7e5224f3a48c523a3c1967ef6e7b3b6370704ee8bcb85a355c0e53d
Instruction ID: 6b9f625a433476005b3a5c8ea206c1e154186f2bd23fdf1d7d0c5391b77aeabb
Opcode Fuzzy Hash: 88dd2cb0b7e5224f3a48c523a3c1967ef6e7b3b6370704ee8bcb85a355c0e53d
Instruction Fuzzy Hash: 8101E5B1D0021DABDB01DFE59C849EFBBBCFB05395F50052AF914A6240EB749A058AA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA36, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32 ref: 0040DA7A
CloseHandle.KERNEL32(?), ref: 0040DA89
CloseHandle.KERNEL32(?), ref: 0040DA8E

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040DA75
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040DA70

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: ecb6104889703d9ba59b01f55d868b2e27d6fd928097d7a8456575eb3a4aab44
Instruction ID: 8d7d6f26bbf001d4538a86997aaf97dec3abc3c6381e2ec01336d66c600126d4
Opcode Fuzzy Hash: ecb6104889703d9ba59b01f55d868b2e27d6fd928097d7a8456575eb3a4aab44
Instruction Fuzzy Hash: 51F062B2A0021C7EEB006AE9DC85EEFBB6CEB48795F000437F604E6021D5705D088AAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405151, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,0040514C), ref: 00405167
CloseHandle.KERNEL32(?), ref: 004051BD
SetEvent.KERNEL32(?), ref: 004051CC

Strings

Connection timeout, xrefs: 0040518C
[WARNING], xrefs: 0040519B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection timeout$[WARNING]
API String ID: 2055531096-1470507543
Opcode ID: 34d2b0a3e59c3d8cb9088dbc88fc8b39217cccdb8c0cf6febaab038295c99282
Instruction ID: c5fc5feaf08e1b76cf53ab72d39df17c7e473e84f07f4fdeaddf406c535f4cac
Opcode Fuzzy Hash: 34d2b0a3e59c3d8cb9088dbc88fc8b39217cccdb8c0cf6febaab038295c99282
Instruction Fuzzy Hash: AA01D871A00B409FC7257F35894541BBB91EF05305744093FE58356A92C7F8E404CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC8E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040BC99
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BCD8

Part of subcall function 0042FD10: _Yarn.LIBCPMT ref: 0042FD2F
Part of subcall function 0042FD10: _Yarn.LIBCPMT ref: 0042FD53

std::bad_exception::bad_exception.LIBCMT ref: 0040BCF0
__CxxThrowException@8.LIBVCRUNTIME ref: 0040BCFE

Strings

bad locale name, xrefs: 0040BCE8

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 3706160523-1405518554
Opcode ID: 471d0a3eb6f18164c58f12fdb3f803901cf1b36a5460c558e7f2e97e00106c06
Instruction ID: cce9436ef5af9d9e0aa47d08c9b547fae63cce7d0aebb18370cd74cdef0a01b1
Opcode Fuzzy Hash: 471d0a3eb6f18164c58f12fdb3f803901cf1b36a5460c558e7f2e97e00106c06
Instruction Fuzzy Hash: E2F08131A086046AC724FBA1E853A9F73689F14718F90453FF416224D1AF78E60CCB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00449C78, Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ffd2c8080ab33758561586983ee2a9cc749a0287f118b4d994962f57a162ab
Instruction ID: 5c05800b411b90699fd233bfadff862d6cccd98fc8a3bda0703737218b0a8d41
Opcode Fuzzy Hash: 17ffd2c8080ab33758561586983ee2a9cc749a0287f118b4d994962f57a162ab
Instruction Fuzzy Hash: E171CF71A00216DBEB21CB95C984ABFBB79FF45310F24422BE411672D1D7788D42E7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00404466, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 201sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004028B8: std::_Xinvalid_argument.LIBCPMT ref: 004028BD

Sleep.KERNEL32(00000000,?), ref: 004045BB

Part of subcall function 004046E8: __EH_prolog.LIBCMT ref: 004046ED

Strings

GetFrame, xrefs: 00404680
OpenCamera, xrefs: 00404663
FreeFrame, xrefs: 00404691
CloseCamera, xrefs: 0040466F

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: H_prologSleepXinvalid_argumentstd::_
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 834325642-3547787478
Opcode ID: 4d5f721bcfede83c9a5fad6f7550edefda98e95aa4f93df94dbb0c563b57f6d1
Instruction ID: e626e6235df5ee6be681daef2f02d13774d95e2739cfa61c06708c7db8486bb8
Opcode Fuzzy Hash: 4d5f721bcfede83c9a5fad6f7550edefda98e95aa4f93df94dbb0c563b57f6d1
Instruction Fuzzy Hash: FA51C6B1A0020167CA04BB76D91AA6E37559B81704F00453FF906BB7E2EF7D8A05CB9F

Uniqueness

Uniqueness Score: -1.00%

Function 004418F2, Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004580EC), ref: 0044195C
WideCharToMultiByte.KERNEL32(00000000,00000000,0046A754,000000FF,00000000,0000003F,00000000,?,?), ref: 004419D4
WideCharToMultiByte.KERNEL32(00000000,00000000,0046A7A8,000000FF,?,0000003F,00000000,?), ref: 00441A01
_free.LIBCMT ref: 0044194A

Part of subcall function 0043ECB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00447930,00000000,00000000,00000000,00000000,?,00447BD4,00000000,00000007,00000000,?,0044811F,00000000), ref: 0043ECCB
Part of subcall function 0043ECB5: GetLastError.KERNEL32(00000000,?,00447930,00000000,00000000,00000000,00000000,?,00447BD4,00000000,00000007,00000000,?,0044811F,00000000,00000000), ref: 0043ECDD

_free.LIBCMT ref: 00441B16

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 7f1e676337b16c5dd9a132eaf644aa2ca31be4a681e4d3ee7f1a48c5365bb85d
Instruction ID: bdedeada01e91b5c5edafd2a4b33b5ae106ad81bc58f3a3e106cc9c82f5a5fcf
Opcode Fuzzy Hash: 7f1e676337b16c5dd9a132eaf644aa2ca31be4a681e4d3ee7f1a48c5365bb85d
Instruction Fuzzy Hash: 41511671900205ABEB10DF66DC819ABB7BCEF44315F10426FE414A32A1FB788E81CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0043C328, Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043C39A
_free.LIBCMT ref: 0043C3BA

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c4304664b5a898e04cba72e1152a8bc46d1f9bdbdaa9467d6a9a6a7f954a20c6
Instruction ID: 09272bf2ebec948f524b1e669567ada1302c765949b9feec1dcf83bbf5e248c2
Opcode Fuzzy Hash: c4304664b5a898e04cba72e1152a8bc46d1f9bdbdaa9467d6a9a6a7f954a20c6
Instruction Fuzzy Hash: 39410232E002109FDB20DF79C8C1A6EB3A5EF88314F11916AE905EB391EB75AD01CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00447DED, Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043927C,?,00000000,?,00000001,?,?,00000001,0043927C,?), ref: 00447E3A
__alloca_probe_16.LIBCMT ref: 00447E72
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00447EC3
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004354D1,?), ref: 00447ED5
__freea.LIBCMT ref: 00447EDE

Part of subcall function 0043E44C: RtlAllocateHeap.NTDLL(00000000,0042F96C,?,?,004310B7,?,?,00000000,?,?,0040BB2E,0042F96C,?,?,?,?), ref: 0043E47E

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 944780c156ac372b1913da08a0912a98f2dfb40cea11d1a3a16e8e450e2e96cd
Instruction ID: fd7b02e282cfc0bd355a2c2698e014445e45a20f13daa27146ef5aeba38b4fce
Opcode Fuzzy Hash: 944780c156ac372b1913da08a0912a98f2dfb40cea11d1a3a16e8e450e2e96cd
Instruction Fuzzy Hash: 0E31E132A0021AABEF24DF65CC41DAF7BA5EB44314F2442AAFC04D7291E739CD55CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A952, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040A967
Sleep.KERNEL32(00001388), ref: 0040A9EF

Strings

[Info], xrefs: 0040AA4A
[Cleared browsers logins and cookies.], xrefs: 0040AA2A
Cleared browsers logins and cookies., xrefs: 0040AA3B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[Info]
API String ID: 3472027048-899236412
Opcode ID: 0977addc0ef3998abcef9368a52620f1c4dc8bfa9f00f5da14046fb512757507
Instruction ID: 036b2d57af0a5a2050ec03b75ab21f970c606a821f311e77a0fffc42bde9e563
Opcode Fuzzy Hash: 0977addc0ef3998abcef9368a52620f1c4dc8bfa9f00f5da14046fb512757507
Instruction Fuzzy Hash: 1E31C3413483806ACA1567B555267AF6B814A63788F0D487FFCC43B3D3D9BA4828C76F

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD, Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BBD
waveInOpen.WINMM(0046AAB0,000000FF,0046AA98,Function_00001CCF,00000000,00000000,00000024), ref: 00401C53
waveInPrepareHeader.WINMM(0046AA78,00000020), ref: 00401CA7
waveInAddBuffer.WINMM(0046AA78,00000020), ref: 00401CB6
waveInStart.WINMM ref: 00401CC2

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: 84a28886128b109e727b155294044f3e5f8ca7afe2873cd9b3604cf7c353eac1
Instruction ID: 97430d45f9993ad0542189d406881c37de9285a06cc863a0e95499e0067b0253
Opcode Fuzzy Hash: 84a28886128b109e727b155294044f3e5f8ca7afe2873cd9b3604cf7c353eac1
Instruction Fuzzy Hash: F7212731614A00ABC7059FF6AF1591A7BA5EB98304700403FE505F66B1FBB88420CF4F

Uniqueness

Uniqueness Score: -1.00%

Function 00440826, Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00436288,00000000,?,?,0043630C,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044082B
_free.LIBCMT ref: 00440860
_free.LIBCMT ref: 00440887
SetLastError.KERNEL32(00000000), ref: 00440894
SetLastError.KERNEL32(00000000), ref: 0044089D

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4a36d0c0a263f6fc43e8a784c6676a64ddf2316c2fa41055a5318f87668a87ae
Instruction ID: da0efd3d63c89dad1fb580cabe4ba201042112b7bd7af219a2602c546bb606c6
Opcode Fuzzy Hash: 4a36d0c0a263f6fc43e8a784c6676a64ddf2316c2fa41055a5318f87668a87ae
Instruction Fuzzy Hash: EE01F97A20070166B30137776D8991F192D9BD2365B25053BFA09A22D3FEBCCD2545AE

Uniqueness

Uniqueness Score: -1.00%

Function 00412B25, Relevance: 7.5, APIs: 5, Instructions: 43clipboardCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00412B30
GetClipboardData.USER32 ref: 00412B45
GlobalLock.KERNEL32 ref: 00412B4E
GlobalUnlock.KERNEL32(00000000), ref: 00412B57
CloseClipboard.USER32 ref: 00412B5D

Part of subcall function 00404A63: send.WS2_32(?,00000000,00000000,00000000), ref: 00404AD6

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataEmptyLockUnlocksend
String ID:
API String ID: 728533759-0
Opcode ID: 88fbb66c95e54e309134b4d68ea0bb6f0f3828314eff701e72862ed0c2fc61af
Instruction ID: cd12dad50be15e759b589937e51acbf03ae5ea984525b5d9a3421831f05fe9b9
Opcode Fuzzy Hash: 88fbb66c95e54e309134b4d68ea0bb6f0f3828314eff701e72862ed0c2fc61af
Instruction Fuzzy Hash: 18F0A97160030057C6147B719D49A5E7694AF92742F40443FED02D22E2DF7DC945C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0044767D, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00447695

Part of subcall function 0043ECB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00447930,00000000,00000000,00000000,00000000,?,00447BD4,00000000,00000007,00000000,?,0044811F,00000000), ref: 0043ECCB
Part of subcall function 0043ECB5: GetLastError.KERNEL32(00000000,?,00447930,00000000,00000000,00000000,00000000,?,00447BD4,00000000,00000007,00000000,?,0044811F,00000000,00000000), ref: 0043ECDD

_free.LIBCMT ref: 004476A7
_free.LIBCMT ref: 004476B9
_free.LIBCMT ref: 004476CB
_free.LIBCMT ref: 004476DD

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3047af39a7e588de61ac28327fdc47a307efd3baf47e941efdef7ee286bbc4f5
Instruction ID: a17ca90f80e286477f67142dd108074a750de2f38a264bd48723206a59487bf9
Opcode Fuzzy Hash: 3047af39a7e588de61ac28327fdc47a307efd3baf47e941efdef7ee286bbc4f5
Instruction Fuzzy Hash: AEF0683240960167AA10DB6EE585C4F73EFAA45720B65180FF409D7781C7B8FC81866C

Uniqueness

Uniqueness Score: -1.00%

Function 0043C577, Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043C595

Part of subcall function 0043ECB5: RtlFreeHeap.NTDLL(00000000,00000000,?,00447930,00000000,00000000,00000000,00000000,?,00447BD4,00000000,00000007,00000000,?,0044811F,00000000), ref: 0043ECCB
Part of subcall function 0043ECB5: GetLastError.KERNEL32(00000000,?,00447930,00000000,00000000,00000000,00000000,?,00447BD4,00000000,00000007,00000000,?,0044811F,00000000,00000000), ref: 0043ECDD

_free.LIBCMT ref: 0043C5A7
_free.LIBCMT ref: 0043C5BA
_free.LIBCMT ref: 0043C5CB
_free.LIBCMT ref: 0043C5DC

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 153605b45b9c8586e25df284a886af5936c740bc1766a9862b692e032dd15531
Instruction ID: d155b8273b0a4ac72ce49109de2065eb88338a3d09bb127f4625f55b1c4a57d1
Opcode Fuzzy Hash: 153605b45b9c8586e25df284a886af5936c740bc1766a9862b692e032dd15531
Instruction Fuzzy Hash: 52F030714039219FCB016FA6AE414093765E70D724700212BF401A27F1F7BA1861CF8F

Uniqueness

Uniqueness Score: -1.00%

Function 00410AC5, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00410B2C
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00410B5B
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00410BFB

Strings

[regsplt], xrefs: 00410C87

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: 071838f5fb7e9a45cfdf70b8ec0985556a11e6887abb92d3ea5527c457536c73
Instruction ID: 738b8d5189aeb73cee7615fdc30fa987193c62ebee6e4f670f4951ace411896a
Opcode Fuzzy Hash: 071838f5fb7e9a45cfdf70b8ec0985556a11e6887abb92d3ea5527c457536c73
Instruction Fuzzy Hash: 26513BB1900219AADB14EA95CC82EEFB77DAF04308F50017BF505F2191EF786B49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00445329, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 00445378
_free.LIBCMT ref: 00445495

Part of subcall function 0043631A: IsProcessorFeaturePresent.KERNEL32(00000017,004362EC,00000000,00000000,?,00000000,00000000,00000000,?,?,0043630C,00000000,00000000,00000000,00000000,00000000), ref: 0043631C
Part of subcall function 0043631A: GetCurrentProcess.KERNEL32(C0000417), ref: 0043633E
Part of subcall function 0043631A: TerminateProcess.KERNEL32(00000000), ref: 00436345

Strings

*?, xrefs: 0044536C
., xrefs: 0044564C

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 6683730ae5693b5dcbf48bbd01ca64e78be321878a6ce83c5942b06963babda9
Instruction ID: dd39e7fd5d320983480d77a7a36b75251b4311ea7c879dfdb1dd3f9dd4bcde39
Opcode Fuzzy Hash: 6683730ae5693b5dcbf48bbd01ca64e78be321878a6ce83c5942b06963babda9
Instruction Fuzzy Hash: 8951C371E00509AFEF14DFA9C881AAEB7F5EF48314F24416EE844EB342E6799E01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0043B945, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\DpiScaling.exe,00000104), ref: 0043B985
_free.LIBCMT ref: 0043BA50
_free.LIBCMT ref: 0043BA5A

Strings

C:\Windows\SysWOW64\DpiScaling.exe, xrefs: 0043B97C, 0043B983, 0043B9B2, 0043B9EA

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\SysWOW64\DpiScaling.exe
API String ID: 2506810119-2099798370
Opcode ID: 2e33d589aacd168b063cad159b9fd18b8259228c100b27bee958b929c7f93110
Instruction ID: 4925da434f8c1ea58d0bb81f78ccbf0f5756c5843223a335305bf321aeb4d643
Opcode Fuzzy Hash: 2e33d589aacd168b063cad159b9fd18b8259228c100b27bee958b929c7f93110
Instruction Fuzzy Hash: 98319571A00608ABDB21EF95DD81B9FBBF8EF88310F10506BEA0497351D7788E41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00417B62, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00417C57

Part of subcall function 004107DE: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0045E6A8), ref: 004107ED
Part of subcall function 004107DE: RegSetValueExA.KERNELBASE(0045E6A8,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,00417C31,WallpaperStyle,0045E6A8,?,00000001,00000000,00000000), ref: 00410815
Part of subcall function 004107DE: RegCloseKey.ADVAPI32(0045E6A8,?,?,00417C31,WallpaperStyle,0045E6A8,?,00000001,00000000,00000000,?,00412F12), ref: 00410820

Strings

TileWallpaper, xrefs: 00417C41
Control Panel\Desktop, xrefs: 00417B9D, 00417BD0, 00417C20
WallpaperStyle, xrefs: 00417BA2, 00417BD5, 00417C25

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: fb58fbf37128ec6337e9b3a57f977a4be11d3c9d7755e600c98bd51fc8cccf15
Instruction ID: d37d0012f027c02b61abaa5209c0640de30f7e5fa59f4b5a044c3238bd181d8b
Opcode Fuzzy Hash: fb58fbf37128ec6337e9b3a57f977a4be11d3c9d7755e600c98bd51fc8cccf15
Instruction Fuzzy Hash: 66119631B8530067D829313A0E1BFAF28119392B55F91455BFA023A7C6E5CE5AD543DF

Uniqueness

Uniqueness Score: -1.00%

Function 00409277, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 00409285
SetEvent.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000000), ref: 0040932B

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040928E
], xrefs: 00409293

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: EventLocalTime
String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
API String ID: 3120200302-1359877963
Opcode ID: 118f4b6d8f589124821ff2021a0dd1f3afd1ea9b7cfbe58a89f6bfff33fa8729
Instruction ID: 80452dcbb2511684e9b915d8e4cebaf92471e0f0795a10835034ce3f202b0b5c
Opcode Fuzzy Hash: 118f4b6d8f589124821ff2021a0dd1f3afd1ea9b7cfbe58a89f6bfff33fa8729
Instruction Fuzzy Hash: B02186B6804114AADB28BB66DC55DFF77B8AF14714F00013FF442A21D2EF7CAA85C668

Uniqueness

Uniqueness Score: -1.00%

Function 00447C9F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00447CCE

Strings

pvE, xrefs: 00447CB2

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free
String ID: pvE
API String ID: 269201875-3563313709
Opcode ID: ea553c9c6fa4d8d569102756f9b8887f0bb68f611d7cf2752261097f0656134b
Instruction ID: 5531c6919cc75f8df622a862563c4fc051d427ceef2fc200baf695d0e572df8d
Opcode Fuzzy Hash: ea553c9c6fa4d8d569102756f9b8887f0bb68f611d7cf2752261097f0656134b
Instruction Fuzzy Hash: EBF0817290D612AAFA142673A806F9B6659DF41378F20101FF4096A1C3DB69184342EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C50E, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C57C

Strings

ios_base::badbit set, xrefs: 0040C538
ios_base::failbit set, xrefs: 0040C55E
ios_base::eofbit set, xrefs: 0040C56B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 8559afada78f8f63c37816a55efa3dca8c0cb28dda95754cb9297f390721bd62
Instruction ID: ea4414782a846177f58ae164e0b1c310f7071e4e9d1b04f20cf355a937d80fdc
Opcode Fuzzy Hash: 8559afada78f8f63c37816a55efa3dca8c0cb28dda95754cb9297f390721bd62
Instruction Fuzzy Hash: 2501F770980204FAD710E790CCD3F7A33689B10704FA0427FBD01B54D2D67C7406866E

Uniqueness

Uniqueness Score: -1.00%

Function 00409195, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00409277: GetLocalTime.KERNEL32(?,?,00000000), ref: 00409285
Part of subcall function 00409277: SetEvent.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000000), ref: 0040932B

Part of subcall function 0041693E: GetLocalTime.KERNEL32(00000000), ref: 00416958

CloseHandle.KERNEL32(00000000), ref: 004091E0
UnhookWindowsHookEx.USER32(0046B348), ref: 004091F3

Strings

Online Keylogger Stopped, xrefs: 004091A3, 004091AA, 004091BC
[Info], xrefs: 004091C7

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseEventHandleHookUnhookWindows
String ID: Online Keylogger Stopped$[Info]
API String ID: 1699053329-1913360614
Opcode ID: 98e4ada7a476fa138bcb36e491374420fd366595fefe21271494ed06b9d999bc
Instruction ID: 72f4d1fd9d3746f1ed787e38b186b17ea882ebfd5c63c51e51d8a2a1cbfa49fd
Opcode Fuzzy Hash: 98e4ada7a476fa138bcb36e491374420fd366595fefe21271494ed06b9d999bc
Instruction Fuzzy Hash: E2F0A4716003106BEA293739890E76E7AA14B43311F50046FE582265D3DABE4D55D39A

Uniqueness

Uniqueness Score: -1.00%

Function 0041242A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00412466

Strings

/C , xrefs: 00412444
cmd.exe, xrefs: 0041245B
open, xrefs: 00412460

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 4dc172025996a16a83d9043b51c2d7465eb06d863964849c8a038114e616a10d
Instruction ID: b42fa691e34d4aaf56a2e8381a80d6bfd5844a31d223e05d136948ce58efa31b
Opcode Fuzzy Hash: 4dc172025996a16a83d9043b51c2d7465eb06d863964849c8a038114e616a10d
Instruction Fuzzy Hash: 24F049711083405BC304FB62DC92DAFB3A8AB91309F50583FB446A21E2EF3C9909C65A

Uniqueness

Uniqueness Score: -1.00%

Function 00410685, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,0046B570,0046B510,?), ref: 004106AF
RegQueryValueExW.ADVAPI32(0046B570,00000000,00000000,00000000,?,00000400), ref: 004106CA
RegCloseKey.ADVAPI32(0046B570), ref: 004106D3

Strings

http\shell\open\command, xrefs: 004106A5

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: http\shell\open\command
API String ID: 3677997916-1487954565
Opcode ID: 2c253833ce19afb7621b81bf4bd65d0b95195acae1e2fb0ee6997eeb59ff90e6
Instruction ID: b4391e36e1bf429b0c3900dd36aa7c2ad0137771611de3b7f8b3a5761516cd09
Opcode Fuzzy Hash: 2c253833ce19afb7621b81bf4bd65d0b95195acae1e2fb0ee6997eeb59ff90e6
Instruction Fuzzy Hash: 43F0C231600208FBDB509A95ED09EDFBBBCEBC5B01F1000ABB605E2050DAB45A95C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00410883, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,?), ref: 0041088E
RegSetValueExW.ADVAPI32(?,00464A1C,00000000,?,00000000,00000000,00464A1C,?,00406032,00464A1C,C:\Windows\SysWOW64\DpiScaling.exe), ref: 004108BD
RegCloseKey.ADVAPI32(?,?,00406032,00464A1C,C:\Windows\SysWOW64\DpiScaling.exe), ref: 004108C8

Strings

Software\Classes\mscfile\shell\open\command, xrefs: 0041088C

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Classes\mscfile\shell\open\command
API String ID: 1818849710-505396733
Opcode ID: 7a3ab6f27480cea3cbf34a026c084b5a0769d59b72724709479157cbc38137ba
Instruction ID: d90f769ca525b2d0150d222dca2945f21fb8b1a8a672b490c492edae3696bdfe
Opcode Fuzzy Hash: 7a3ab6f27480cea3cbf34a026c084b5a0769d59b72724709479157cbc38137ba
Instruction Fuzzy Hash: EFF0AF31500218BBCF10AFA0EE05AEE376CEF05745F104226BD05A60A1E6759E04DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00401397, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013A1
GetProcAddress.KERNEL32(00000000), ref: 004013A8

Strings

User32.dll, xrefs: 0040139C
GetCursorInfo, xrefs: 00401397

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: e2e573dce06bc6c4b5ca10be8ea0a38592433885eba8eefba5f782cd06c7998b
Instruction ID: f0dbcceed6b5ba20ddd7ac1fee769246e55475c795c8a25381e8e445eb9981fb
Opcode Fuzzy Hash: e2e573dce06bc6c4b5ca10be8ea0a38592433885eba8eefba5f782cd06c7998b
Instruction Fuzzy Hash: 1DB09BF45823015B8B045B705E0DA053555F985B03711007BF111D2191EBF44000CA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00401452, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 0040145C
GetProcAddress.KERNEL32(00000000), ref: 00401463

Strings

User32.dll, xrefs: 00401457
GetLastInputInfo, xrefs: 00401452

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: af57034909a899217349457a21a69fe8eb592630c5f6e32c4ebe0dc82f428f1a
Instruction ID: 5147fd05eb2b2da978dfc016418f9118bbbd1dd04b686916b502abaa3600e9ed
Opcode Fuzzy Hash: af57034909a899217349457a21a69fe8eb592630c5f6e32c4ebe0dc82f428f1a
Instruction Fuzzy Hash: 1EB09BF86C0305578A045BF45D0D5053654A5857037110167B411C1571F7F44040C71F

Uniqueness

Uniqueness Score: -1.00%

Function 0040146F, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 00401479
GetProcAddress.KERNEL32(00000000), ref: 00401480

Strings

kernel32.dll, xrefs: 00401474
GetConsoleWindow, xrefs: 0040146F

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetConsoleWindow$kernel32.dll
API String ID: 2574300362-100875112
Opcode ID: d1b1efb84040c1c49462a5d34fb8c1f0266702954e818b6414bb32c424dab619
Instruction ID: 3f3733256d4b249523b17a76e4c96979634c8b04f757633be2ad7c584c847e99
Opcode Fuzzy Hash: d1b1efb84040c1c49462a5d34fb8c1f0266702954e818b6414bb32c424dab619
Instruction Fuzzy Hash: 3EB092F8682300ABCB001FA0AF0DD063A64A685703B1101B3F411C26B2FBF88044CA6F

Uniqueness

Uniqueness Score: -1.00%

Function 0044F8DA, Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044FA09

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 009ce750c38678c52d6a6f62882bbf9785878cb38a85da7864cb447c4f458103
Instruction ID: 6b713d6d4998ec89814ec9f9be062bbf7a01efac565648ba6b48a23fd7bacedc
Opcode Fuzzy Hash: 009ce750c38678c52d6a6f62882bbf9785878cb38a85da7864cb447c4f458103
Instruction Fuzzy Hash: 19413A71A001017BFB207BBA9C46B6F3BA5EF49374F14013BF818E62D1D67C4D4946AA

Uniqueness

Uniqueness Score: -1.00%

Function 0043B131, Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c188c269d4ec5ca61f27c922958de36be0aed12ed9792cffb862c35a39cde84
Instruction ID: f720bb3accf97fa2da9a9a2ef294ab68417e0e81f3cc989c4b91236d6ee60ae5
Opcode Fuzzy Hash: 9c188c269d4ec5ca61f27c922958de36be0aed12ed9792cffb862c35a39cde84
Instruction Fuzzy Hash: 5A413771A00704AFDB249F78C846B6B7BA8EB8C710F10966FF611DB281D779A90187C8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D850, Relevance: 6.1, APIs: 4, Instructions: 127processCOMMON

Download Yara Rule

APIs

Part of subcall function 00417262: GetCurrentProcess.KERNEL32(?,?,?,00417D23,WinDir,00000000,00000000), ref: 00417273
Part of subcall function 00417262: IsWow64Process.KERNEL32(00000000,?,?,00417D23,WinDir,00000000,00000000), ref: 0041727A

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040D870
Process32FirstW.KERNEL32(00000000,?), ref: 0040D892
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DA19
CloseHandle.KERNEL32(00000000), ref: 0040DA28

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ProcessProcess32$CloseCreateCurrentFirstHandleNextSnapshotToolhelp32Wow64
String ID:
API String ID: 715332099-0
Opcode ID: 61fcb32b55af7fb7df573e7382d64f19aabe4b186690a82cf009d6021eccf980
Instruction ID: e7b6d413bb7cb61c1df822604d7fec526f0e16eb4605486ebc76a93cd3f6044d
Opcode Fuzzy Hash: 61fcb32b55af7fb7df573e7382d64f19aabe4b186690a82cf009d6021eccf980
Instruction Fuzzy Hash: E5414A71A042198AC725F761DC51EEEB374AF14304F5001BFB00AB61E2EF785E8ACE58

Uniqueness

Uniqueness Score: -1.00%

Function 004088D2, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 78sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041770D: GetForegroundWindow.USER32(75146490,?), ref: 0041771D
Part of subcall function 0041770D: GetWindowTextLengthA.USER32(00000000), ref: 00417726
Part of subcall function 0041770D: GetWindowTextA.USER32 ref: 00417759

Sleep.KERNEL32(000001F4), ref: 00408929
Sleep.KERNEL32(00000064), ref: 004089BC

Strings

[ , xrefs: 00408941
], xrefs: 0040892D

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: b39d3de69f8d50affe27c0d4aa4cf7c78a581ed9dca3685e8cc166aac7f043c1
Instruction ID: d1ac725b00d020522177e6e227c1e23d60b121b6bb9c40abd56d6e91b2b45589
Opcode Fuzzy Hash: b39d3de69f8d50affe27c0d4aa4cf7c78a581ed9dca3685e8cc166aac7f043c1
Instruction Fuzzy Hash: 1B217FB1A0430067D208B766DD17AAE73589B51308F50453FF982671D3FE7DAA09869F

Uniqueness

Uniqueness Score: -1.00%

Function 0043BF43, Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072ed3c31ce06d539ed154dfa25495c9cbf4c7cf5d0dcf565f7ea142ee6f4073
Instruction ID: f0cc5767e467896d675ea7964a2b97e761fc336aa22cd801c4878654b8893c66
Opcode Fuzzy Hash: 072ed3c31ce06d539ed154dfa25495c9cbf4c7cf5d0dcf565f7ea142ee6f4073
Instruction Fuzzy Hash: B301FCB26096057DE6201A796CC0F27660DDF493B8F303327F621912D2DB688C414AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0043BFC2, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7f42680602ea11ef08c3d8d66750ce8859ddf0f5f1b142427952e3124230fb
Instruction ID: a66623f8a111caa3722cc8d46a9821e15e5b10992bba9c7e440520f96f62d2a9
Opcode Fuzzy Hash: 9f7f42680602ea11ef08c3d8d66750ce8859ddf0f5f1b142427952e3124230fb
Instruction Fuzzy Hash: A70149B22056127EE63426B96CC0D2B722CDF893B8B30233BF521B12C6DF68CC00426C

Uniqueness

Uniqueness Score: -1.00%

Function 00440AF3, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00440A9A,00000000,00000000,00000000,00000000,?,00440DC6,00000006,FlsSetValue), ref: 00440B25
GetLastError.KERNEL32(?,00440A9A,00000000,00000000,00000000,00000000,?,00440DC6,00000006,FlsSetValue,00458018,00458020,00000000,00000364,?,00440874), ref: 00440B31
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00440A9A,00000000,00000000,00000000,00000000,?,00440DC6,00000006,FlsSetValue,00458018,00458020,00000000), ref: 00440B3F

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: be712f1832d04d5dd4be3ee034131cc23af5166b77b23d571f80cdf26ebdb116
Instruction ID: 782b7f593499f274b0e038a3f1c8f58be111435135f7a2662378c508bcd097d4
Opcode Fuzzy Hash: be712f1832d04d5dd4be3ee034131cc23af5166b77b23d571f80cdf26ebdb116
Instruction Fuzzy Hash: 1B01FC326017629BD7614AB8AC44D577B58EF06BA67100633FB05E7241DB34E911C6ED

Uniqueness

Uniqueness Score: -1.00%

Function 004326A1, Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004326B8

Part of subcall function 00432CF0: ___AdjustPointer.LIBCMT ref: 00432D3A

_UnwindNestedFrames.LIBCMT ref: 004326CF
___FrameUnwindToState.LIBVCRUNTIME ref: 004326E1
CallCatchBlock.LIBVCRUNTIME ref: 00432705

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
Instruction ID: 13f1e1576fcd07279dcbf22e9ecf9133bca8453518cade27896c573cbdfd824e
Opcode Fuzzy Hash: 94d24e599c38bfd0fe9448f4d259b7e070b739f8f5fce39f4dfa045fc21e001f
Instruction Fuzzy Hash: 9501E932000109BBCF126F56CD06EDA7BBAFF5C758F15501AF91865121C7BAE861EBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004172C6, Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?,00000000,00000000), ref: 004172DB
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 004172FD
CloseHandle.KERNEL32(00000000), ref: 00417308
CloseHandle.KERNEL32(00000000), ref: 00417310

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CloseHandle$FileModuleNameOpenProcess
String ID:
API String ID: 3706008839-0
Opcode ID: 51e84bac6e604c51010193b5c8e96056c0b5309b080a48d128c37ec03aba6a0c
Instruction ID: 60ad3bfeb3a95ca25c751d2e3616cf2cbf417a7d3c9046384451d84a2df04240
Opcode Fuzzy Hash: 51e84bac6e604c51010193b5c8e96056c0b5309b080a48d128c37ec03aba6a0c
Instruction Fuzzy Hash: A1F0E23134430D67D66062545C0DFAB777C9B85B42F1002BBFE15E22A2EEB4C88286AE

Uniqueness

Uniqueness Score: -1.00%

Function 0043168E, Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 0043168E
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00431693
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00431698

Part of subcall function 00434B25: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00434B36

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004316AD

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: cef0697e435facc545bfafef7ff45e7af44cf0f7a648eeb5dec41964465f9cb0
Instruction ID: c7af76b880aaf72d02e5f06645891935ba82ff0535a5a25f817f7f177350a549
Opcode Fuzzy Hash: cef0697e435facc545bfafef7ff45e7af44cf0f7a648eeb5dec41964465f9cb0
Instruction Fuzzy Hash: 04C00248804202162C5436F212132EA53011CEE39EF88748FA88116963894D642B952E

Uniqueness

Uniqueness Score: -1.00%

Function 0043EAAD, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0043EB3D

Strings

pow, xrefs: 0043EB15, 0043EB32

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: fa5925156b6740df865ab7178054ef8ab27850031099426175af48070e098d5b
Instruction ID: 7e340ccb47599e3c5de8388dce7dfb706337c3c668e89f3f0d7399b4088cc358
Opcode Fuzzy Hash: fa5925156b6740df865ab7178054ef8ab27850031099426175af48070e098d5b
Instruction Fuzzy Hash: E1517B61A06602D6FB12BB15C98136B7790DB44711F306CAFE086423E9EF3DDC819A8E

Uniqueness

Uniqueness Score: -1.00%

Function 00444A54, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMONLIBRARYCODE

Download Yara Rule

Strings

RRD, xrefs: 00444AE4, 00444BDB
RRD, xrefs: 00444A67

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID:
String ID: RRD$RRD
API String ID: 0-2085030013
Opcode ID: 151c82b2c0807398592469ad45eaa1f75ec18920ce96aec94e302bfcdb88910c
Instruction ID: b210a50f2f27d4b2740f9521c44ad6a9ba82dc754f9433774e54ab0a19fc4eaf
Opcode Fuzzy Hash: 151c82b2c0807398592469ad45eaa1f75ec18920ce96aec94e302bfcdb88910c
Instruction Fuzzy Hash: 76513C71A04245EBEB20DF54C8C1BAE7770FF95310F25815BD554AF390E278EA82CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00445A04, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00445A29

Strings

, xrefs: 00445A6E
6_D, xrefs: 00445A1B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Info
String ID: $6_D
API String ID: 1807457897-1153940800
Opcode ID: c279466e84a575e80beb0f72de3eff3160bc0217805c5c7b1f8238bfebfba1b8
Instruction ID: aa86c75fab8c52ee46d30b44b8f4aa92d3bad70aee0ca662ab8cf97aad02deac
Opcode Fuzzy Hash: c279466e84a575e80beb0f72de3eff3160bc0217805c5c7b1f8238bfebfba1b8
Instruction Fuzzy Hash: 61412A7050469C9FEF218E248C84AF6BBB9EB45308F1405EEE58A97143D239AE46DF64

Uniqueness

Uniqueness Score: -1.00%

Function 0043C208, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043C2DE

Strings

KC, xrefs: 0043C319
Z@, xrefs: 0043C289

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: _free
String ID: KC$Z@
API String ID: 269201875-2130522889
Opcode ID: 901c556698cf74bf2b11b93cdec6d9ccdbc2892b5fd02a645004eb592b219ada
Instruction ID: 8dffecfa47f68ad9cb5945e734efa5b56f834e007efa60693dcff0213ff697d2
Opcode Fuzzy Hash: 901c556698cf74bf2b11b93cdec6d9ccdbc2892b5fd02a645004eb592b219ada
Instruction Fuzzy Hash: BD418032A00714DFCB18DFA9D8C096EB7B1EF8D324B1581AAE515EB3A1D7709C41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040412D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404147

Part of subcall function 00416D42: GetCurrentProcessId.KERNEL32(00000000,7519FBB0,00000000,?,?,?,?,?,0040B309,.vbs), ref: 00416D69

Part of subcall function 0041762A: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000000,?,00413490), ref: 00417647

Sleep.KERNEL32(000000FA,0045E414), ref: 00404219

Strings

/sort "Visit Time" /stext ", xrefs: 00404193

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: File$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 3753550655-1573945896
Opcode ID: 0346bc780eb71ec045fcb2b22e2a8c6c9b4544a4c24e5c48055beb5d04faaee0
Instruction ID: cf12e84defec07cb4caaf30fc0e71cfa4ed6508f194ff7b75e528c0bd2f0c136
Opcode Fuzzy Hash: 0346bc780eb71ec045fcb2b22e2a8c6c9b4544a4c24e5c48055beb5d04faaee0
Instruction Fuzzy Hash: 4631A471A1021957CB18F772DC969ED7775AF80348F00007FF506B31E2EF381A4A8A99

Uniqueness

Uniqueness Score: -1.00%

Function 004487F8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00448A53,?,00000050,?,?,?,?,?), ref: 004488D3

Strings

OCP, xrefs: 0044884C
ACP, xrefs: 00448816

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 7ce15a2bdac6fbea024304a167d1ba1dbaa234ebac63e5b135fb84abae461da8
Instruction ID: 775f9838545a99fccb1881b8c217c4cf2cbdf881accb3dbc95adb44ebfcfca50
Opcode Fuzzy Hash: 7ce15a2bdac6fbea024304a167d1ba1dbaa234ebac63e5b135fb84abae461da8
Instruction Fuzzy Hash: A221C722A00104A6F734AB55CD01B9F72A69FA4B50FD6842FE90AE7301EF3ADD41C358

Uniqueness

Uniqueness Score: -1.00%

Function 00409DB3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0042EE10: __onexit.LIBCMT ref: 0042EE16

__Init_thread_footer.LIBCMT ref: 00409DFF

Strings

[End of clipboard text], xrefs: 00409E48
[Following text has been copied to clipboard:], xrefs: 00409E43

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard text]$[Following text has been copied to clipboard:]
API String ID: 1881088180-3441917614
Opcode ID: 0041f4488a88b88ce400c676ffefdda3f65116b7b83d1c6d6a9b2fbba2db4c4f
Instruction ID: 1e3b398728fb1a709a3a0cfa47d1f015badacba4125f2dc28c77ed6a0bb513c3
Opcode Fuzzy Hash: 0041f4488a88b88ce400c676ffefdda3f65116b7b83d1c6d6a9b2fbba2db4c4f
Instruction Fuzzy Hash: 2A11E131B0020556CA04FA6AEC82EAE73689B84318B50013FF901B76D3EF3C9D4686CD

Uniqueness

Uniqueness Score: -1.00%

Function 00441140, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,BBE85006,00000001,?,00436D57), ref: 004411B1

Strings

Z@, xrefs: 0044118D
LCMapStringEx, xrefs: 0044115B

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: String
String ID: LCMapStringEx$Z@
API String ID: 2568140703-4217484539
Opcode ID: 9e0de1441ef7a8ce70a4073800cc6e05d8d5c46683a233d47b106be4ba7a0920
Instruction ID: 2a5d401b1f16ff2d658db63a215fae73c41cefee3c09b80cf090363d7a5c388e
Opcode Fuzzy Hash: 9e0de1441ef7a8ce70a4073800cc6e05d8d5c46683a233d47b106be4ba7a0920
Instruction Fuzzy Hash: 3F011332540209BBCF12AF90DD02DAE3FA6EF0C755F05412AFE1825161CA7AC931EB99

Uniqueness

Uniqueness Score: -1.00%

Function 00440DF8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

GetDateFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,0044001B,?,00000000,00401D19), ref: 00440E63

Strings

GetDateFormatEx, xrefs: 00440E09, 00440E13
Z@, xrefs: 00440E3F

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: DateFormat
String ID: GetDateFormatEx$Z@
API String ID: 2793631785-298617967
Opcode ID: 96d20b17cbab9e9a9f3cc16ed28210b093b39fb248d49d822b20181d9c34d0f1
Instruction ID: c1bf8f6ceb649d950b170a4cd0f5dc56e3dcfd5b17f2cae74bf2ac5c95b9c6b5
Opcode Fuzzy Hash: 96d20b17cbab9e9a9f3cc16ed28210b093b39fb248d49d822b20181d9c34d0f1
Instruction Fuzzy Hash: B4017C3254021DFBCF125F90DC02E9F7F66EF18751F11401AFE0525161CABA8935EB98

Uniqueness

Uniqueness Score: -1.00%

Function 00409206, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(?), ref: 00409264

Part of subcall function 00409277: GetLocalTime.KERNEL32(?,?,00000000), ref: 00409285
Part of subcall function 00409277: SetEvent.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000000), ref: 0040932B

Strings

[Info], xrefs: 00409241
Offline Keylogger Stopped, xrefs: 00409218, 00409224, 00409236

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: EventHookLocalTimeUnhookWindows
String ID: Offline Keylogger Stopped$[Info]
API String ID: 2346154624-1791908007
Opcode ID: 1b8f390c9f6a1d766a25b9b9b24b926373f5d3c15a86c0826ebcff40758a2e06
Instruction ID: fe44383e814a141ab93af63ad2807d56ebf9c4470300d7b640963740028c446f
Opcode Fuzzy Hash: 1b8f390c9f6a1d766a25b9b9b24b926373f5d3c15a86c0826ebcff40758a2e06
Instruction Fuzzy Hash: 16F0F421A043006BDB3A373A890E73A7A944B43311F5408AFE582326D3D6BE0D95C39B

Uniqueness

Uniqueness Score: -1.00%

Function 00440F3A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,0044001B,?,00000000,00401D19), ref: 00440F93

Strings

Z@, xrefs: 00440F7E
GetTimeFormatEx, xrefs: 00440F4B, 00440F55

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: FormatTime
String ID: GetTimeFormatEx$Z@
API String ID: 3606616251-3793989545
Opcode ID: 7fecedf216cc81c061c5355a96636eb81adeddc137cc241962cb5db413ef7935
Instruction ID: 35b09f77ecabc058c51b3b07af6eaf3235370d156dc5e8a6dcc44002dfe89abc
Opcode Fuzzy Hash: 7fecedf216cc81c061c5355a96636eb81adeddc137cc241962cb5db413ef7935
Instruction Fuzzy Hash: ACF0C831640318BBDF216F51DC02EAE7F65EF09B11F41002AFE05261A2CEB589299BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00440FAA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32(00000055,?,00000000,004482C9,?,00000055,00000050), ref: 00440FF4

Strings

GetUserDefaultLocaleName, xrefs: 00440FBB, 00440FC5
Z@, xrefs: 00440FE2

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: DefaultUser
String ID: GetUserDefaultLocaleName$Z@
API String ID: 3358694519-2907648013
Opcode ID: 2fc67a8855388532b242d429a7148e41960e8049ab587c5a08ca9c6027650dd5
Instruction ID: ca886c80acb588775ee811d07aabdcad4d0b88ed59b41530c46441100db02909
Opcode Fuzzy Hash: 2fc67a8855388532b242d429a7148e41960e8049ab587c5a08ca9c6027650dd5
Instruction Fuzzy Hash: 9AF0F630600218BBDF206B529C06E5E7F64EB04B15F11402AFD05361A2DEB98915D6CC

Uniqueness

Uniqueness Score: -1.00%

Function 00441073, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,0043D02B,00000000,00000001,?,?,0043D02B,?,?,0043CA0B,?,00000004), ref: 004410BF

Strings

Z@, xrefs: 004410A8
IsValidLocaleName, xrefs: 00441084, 0044108E

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$Z@
API String ID: 1901932003-3373397250
Opcode ID: d050a010f892ebfca2256cd7da1b909d072503eb8e8906aad8285ee95a056f75
Instruction ID: 1cda8db220e3cf3fbd12ff47f4164866c64def9be0171870d75db1c7778a6864
Opcode Fuzzy Hash: d050a010f892ebfca2256cd7da1b909d072503eb8e8906aad8285ee95a056f75
Instruction Fuzzy Hash: 6AF02430680318B3DA206B209C06F5E7B94CB04B02F41002AFE0537291DDB89D48858D

Uniqueness

Uniqueness Score: -1.00%

Function 00441011, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,00444190,-00000020,00000FA0,00000000,?,?), ref: 0044105C

Strings

InitializeCriticalSectionEx, xrefs: 0044102C
Z@, xrefs: 0044104C

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$Z@
API String ID: 2593887523-640532015
Opcode ID: 3060cded662dd147c9d48cb0079e7473d1a0897ae07c13b0ec2c59210c4605b1
Instruction ID: 910d51b0ea34269fa62c2b3daa6b406d58e14b090b3442e2d7dc437f923cc67b
Opcode Fuzzy Hash: 3060cded662dd147c9d48cb0079e7473d1a0897ae07c13b0ec2c59210c4605b1
Instruction Fuzzy Hash: 09F02431600218FBCF205F10DC02D9E7F60EB04751B40802AFD0926262CEB58E14DA9C

Uniqueness

Uniqueness Score: -1.00%

Function 00440CF3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(?), ref: 00440D32

Strings

Z@, xrefs: 00440D28
FlsFree, xrefs: 00440D0E

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Free
String ID: FlsFree$Z@
API String ID: 3978063606-3720848842
Opcode ID: 0c9fd826511883403cd9f960293ed2af8b6965acf6f3cc7deeaaea3ecee32270
Instruction ID: 4c68c6456ecb5da8a99bc96f00a6a8476689d9ef327dbb90d1cf80b048d344a8
Opcode Fuzzy Hash: 0c9fd826511883403cd9f960293ed2af8b6965acf6f3cc7deeaaea3ecee32270
Instruction Fuzzy Hash: 33E02071A40218AB8A106F519C02A2EBB54DF04B02B81006FFD0526282CEB9AE1886DD

Uniqueness

Uniqueness Score: -1.00%

Function 00440C9D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00440CDC

Strings

FlsAlloc, xrefs: 00440CB8
Z@, xrefs: 00440CD2

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Alloc
String ID: FlsAlloc$Z@
API String ID: 2773662609-4088768579
Opcode ID: 358b4863337b19705d0210e283acb2a15f5943fc76aa8946646e66767127a7b9
Instruction ID: 5a4327d15ce0abdb9800bd267293b76d8cf814d286df70f786e66a9a57cecfce
Opcode Fuzzy Hash: 358b4863337b19705d0210e283acb2a15f5943fc76aa8946646e66767127a7b9
Instruction Fuzzy Hash: 9BE05530640318E7DA146B119D02E2EBB58DB04B12B91016FFC0522282DDB85E1986DE

Uniqueness

Uniqueness Score: -1.00%

Function 00440EE4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00435104), ref: 00440F23

Strings

Z@, xrefs: 00440F19
GetSystemTimePreciseAsFileTime, xrefs: 00440EFF

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime$Z@
API String ID: 2086374402-1802611767
Opcode ID: 51cc260d05171d8bdda53a838900afbc8bf6083b1dd3169b2b7ba9c929eef619
Instruction ID: d7df52526606a494832bb5548e6270e2caccca2f3c3ad1f29dda5dce13e6e119
Opcode Fuzzy Hash: 51cc260d05171d8bdda53a838900afbc8bf6083b1dd3169b2b7ba9c929eef619
Instruction Fuzzy Hash: 4CE0E531B40318B79B206B21AC02E3EBB64DB05B12B51017FFC0567293DDB98E1996DE

Uniqueness

Uniqueness Score: -1.00%

Function 00410A93, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,0046B4F8,80000002,?,0040B247,00000000,?,0046B510,0046B4F8), ref: 00410AA1
RegDeleteValueW.ADVAPI32(0046B4F8,0046B510,?,0040B247,00000000,?,0046B510,0046B4F8), ref: 00410AB5

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00410A9F

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: abc9b14c0e9cca758d339038eefb8113761b1a980280b0166aac3126a48059a4
Instruction ID: 6832adcb8ce98d846c8e72d571bc9efaffa53b6ad138d63ad54627061305b877
Opcode Fuzzy Hash: abc9b14c0e9cca758d339038eefb8113761b1a980280b0166aac3126a48059a4
Instruction Fuzzy Hash: BAE0C231241308BBEF104FA0DD06FFB372CEB42B41F1002A6BA05920D1D6B6DE459668

Uniqueness

Uniqueness Score: -1.00%

Function 004499FC, Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D19), ref: 00449A92
GetLastError.KERNEL32 ref: 00449AA0
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00449AFB

Memory Dump Source

Source File: 00000019.00000002.493088248.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000002.493573800.000000000046E000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_400000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1fe93a52f09441a00bbf49d4fcf83fb3ff76eb5b9c11891e1f741fe44751cdf7
Instruction ID: c9c5620800c261e4deccaa6f4675efc2d77b8081e755e742595ea05feda46652
Opcode Fuzzy Hash: 1fe93a52f09441a00bbf49d4fcf83fb3ff76eb5b9c11891e1f741fe44751cdf7
Instruction Fuzzy Hash: 09412A30600282AFEF21CF65DC44A7B7BA5FF41324F1441ABF85867291DB34AD01E769

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://www.sendspace.com/pro/dl/eu3kr3

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Remcos

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Function 04AC02A8, Relevance: 1.7, Strings: 1, Instructions: 475
COMMON

Function 0099B0B2, Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 0099AB70, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0099A504, Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Function 0099A120, Relevance: 1.6, APIs: 1, Instructions: 85
fileCOMMON

Function 0099AB96, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0099B0E2, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 0099A77C, Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 0099A85F, Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 0099AA13, Relevance: 1.6, APIs: 1, Instructions: 76
pipeCOMMON

Function 0099A52A, Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 0099A6BB, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 0099A600, Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Function 0099A448, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 0099A88E, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre